Overview

overview

10

Static

static

5

RFQ_PO_645...ls.exe

windows10-2004-x64

10

Resubmissions

06-09-2024 13:37

240906-qwxwgayfqk 10

06-09-2024 13:31

240906-qsqmzsyemj 5

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ_PO_6457837777_GMD9038762_Order_Details.pdf

  • Size

    1.8MB

  • Sample

    240906-qwxwgayfqk

  • MD5

    02f8c6bfabcba64143d43b80e59ed07c

  • SHA1

    345db687392e39deb7bbfb634a1dd9a3199d996e

  • SHA256

    ea20975256e3bfaf5cc6fa25c03f1951d9688f7c9010f96cc760fb60bf0ced14

  • SHA512

    1057582923ab6426fcab88931ed842398db34e793bb5d451fd83b70bfd8df12e5163d7898800d78ed3a486d29a92270d0d248d61c9fd2dcda322f67bf51822c2

  • SSDEEP

    49152:Bh+ZkldoPK8Ya9dTBeTgZU+ePAf3lqMsEE0zeErIRnm:i2cPK83ugZU+JfgiNzeErI

Score
10/10
agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    s82.gocheapweb.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    london@1759

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      RFQ_PO_6457837777_GMD9038762_Order_Details.pdf

    • Size

      1.8MB

    • MD5

      02f8c6bfabcba64143d43b80e59ed07c

    • SHA1

      345db687392e39deb7bbfb634a1dd9a3199d996e

    • SHA256

      ea20975256e3bfaf5cc6fa25c03f1951d9688f7c9010f96cc760fb60bf0ced14

    • SHA512

      1057582923ab6426fcab88931ed842398db34e793bb5d451fd83b70bfd8df12e5163d7898800d78ed3a486d29a92270d0d248d61c9fd2dcda322f67bf51822c2

    • SSDEEP

      49152:Bh+ZkldoPK8Ya9dTBeTgZU+ePAf3lqMsEE0zeErIRnm:i2cPK83ugZU+JfgiNzeErI

    Score
    10/10
    agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Command and Control

Exfiltration

Impact

Tasks