Overview

overview

10

Static

static

3

Updated PI.exe

windows7-x64

10

Updated PI.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    Updated PI.rar

  • Size

    617KB

  • Sample

    231023-eqvclsfg92

  • MD5

    9d892baf83b0ae76b23c5b131c27821b

  • SHA1

    6c598bc6851fc7a0373b8192b7d35cec1d496184

  • SHA256

    486ba5fdde75fa950eaf62f9a9d4c174d9b24648e461ec4a614b37b5d69fc16c

  • SHA512

    53d94532026b01963bd3cdb45acb9c8d1205175f874600f292cc1a9f2437949a7ac6abd8b5f213c2c345550cd9fb6183d0c5300d209f4606b958d09bff71b041

  • SSDEEP

    12288:4NwoUcOehR4SQmYxXGhs3Oi/MtrSG4LGUajuMkFHij+XVrNUFcyoFWZKpezxg:4GPrwLQmYx7t/M59zjuXkj+FByo7ezxg

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.svshygiene.com.my
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    1122Jon889900

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Updated PI.exe

    • Size

      654KB

    • MD5

      700df676d2f191d31dffd642c6097431

    • SHA1

      50c7b7bac21a63e177e68c53ae43c3cbb8d92378

    • SHA256

      821ec2ddc08c58c9f292ccf54ba288925f3bd591224c39dea71d4711e6cbc1e9

    • SHA512

      208967eade0483db41bcd974661813c07791698d632ad2724293aa4a697aa1e48a775ae67c8146d70e03a96b60cf99397c1d767f730671b71d974ac964f6732d

    • SSDEEP

      12288:wYI75TKHtYp8L0O2Ib47m1m1VnNH0uZliaKCZrFBsEvH9v+MMFgR/mZRM+:4mSBqbQoOF0uZliaRrFBsEvH9v+tFgkJ

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks