Overview

overview

10

Static

static

3

EME-S23501...60.exe

windows7-x64

10

EME-S23501...60.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    765600239.eml

  • Size

    1.1MB

  • Sample

    240329-hexv5scd68

  • MD5

    f7fa447ea6d826d71970a56bd3963351

  • SHA1

    4b02655dbab1273cdffc506e6c5771772fcc7d03

  • SHA256

    c11d167518c4f45260e5899a06fb6cf395d956f8f0a9f50060169b93651380ed

  • SHA512

    52c5973b725ac33a4dee2a387ea1f9b113deec1e8a28b503ef70f940d46c52dde6abf0f0e1289245020870ded383a76f381c0de1b28cdfdea9d3aac2448ffe62

  • SSDEEP

    24576:t4aX9rA/MSGvli6FGdsLDvE092qkrDuYsXhCJvKzvtw:TBPdi61vSK2

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.strictfacilityservices.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    SFS!@#321

Targets

    • Target

      EME-S235014 our PO 777214560.exe

    • Size

      632KB

    • MD5

      d4c34b180ce3daa302737b6253b1850e

    • SHA1

      645908165e66e075aa491b73e9754ccc690378f5

    • SHA256

      251abc34a41e32fbd9a14a8bd4898270aa248c66ce1cde96673eed6d8c2c4980

    • SHA512

      e432c142d126d7bca727892acb2cb5c4aeefa7e0016a89944570842337fbe85ac31db79747eae730714f48852bc8d483c2122634a5b422b338a13b9fa225bc33

    • SSDEEP

      12288:thWnIb1wkEwN8A1/l76qrV1Zngxp9b0BQeZKfuyx75qwi:yIb93G4N75rDmxrbf

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks