Overview

overview

10

Static

static

3

RFQ.exe

windows7-x64

10

RFQ.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bac229d28544292d41b53ddc974a7444.bin

  • Size

    600KB

  • Sample

    231121-dcnggacd3s

  • MD5

    acff319b07f54d34d0bae5b6a6f8e855

  • SHA1

    ee49852355f18ddab7de29e68231afa5e05e3523

  • SHA256

    59563758446c6fb081d2ed6fff0e9686704b8bca204358fe600a7c2e51f8e545

  • SHA512

    4c1b012a059554b2d38237a661a97ef3d95d0bcc97ba8d42a7de5d9372f5f6915f890cf5753be38b04cfed71b5ee42eefd52e48007b77b5abb9e4924b956d199

  • SSDEEP

    12288:Ni6U0ormedQzK0lkmtGS7hy+WFkD12XE4pE9k7E1gye8l7FrCGhvHbfwlQA:NfoFziGS7hyByD1v4K/GQ1XDfoQA

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    boys@opttools-tw.com
  • Password:
    kV$bSqJ1 daniel
  • Email To:
    boys@opttools-tw.com

Targets

    • Target

      RFQ.exe

    • Size

      728KB

    • MD5

      2a62b3b50dc20a361eaa8956ca312a81

    • SHA1

      835dce3de7679964b51f14c1d7efeac5e795fbf5

    • SHA256

      4fb354ecdf9b230311b7b6bc60b1016f5f17653a1653e1c6fa1fbbbc92a08a30

    • SHA512

      1356c26448e0f1ddd68e8e0b5c4bce21cf26454f15a87e493b47c15b682e9af915d09c465d68a826dc0f5cf5d6d931e135fe312624f4ede011f69212e9bbdd08

    • SSDEEP

      12288:oXkNp2iNkuPF33L1BL4yE8M37kEGMj9WHpP92tMRdIrHVTlcZxB8Dbya24vA:fp1l5b1et8iGMj9WJPIMRUVT6ZU44v

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks