agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

fc3b071a8f86b8746ab4c738a09c9da2_JaffaCakes118
Size

1.9MB
Sample

240928-nvxszatgnl
MD5

fc3b071a8f86b8746ab4c738a09c9da2
SHA1

bf5950d3631551f57679aafc8789685f4319276a
SHA256

b84beac430d5c3fd06f4a1016e305884689eba7596eea1d6ca8ffa2122f341ff
SHA512

429be80f432e360743fce2d4b837ca793b750f9450d067d61321fb1ba546880bee60b6a9d10f47060ec8d23a51aea373a70c540f5ead41d01bb115c27301b405
SSDEEP

49152:DAfxanuyTwtfuAyjzcjNx07vTR+HinKwEkvE3SyzUqH07:DyyTMyjzS4TT00ASH

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.privateemail.com
Port:
587
Username:
[email protected]
Password:
MARYolanmauluogwo@ever

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.privateemail.com
Port:
587
Username:
[email protected]
Password:
MARYolanmauluogwo@ever

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
smtp.privateemail.com
Port:
587
Username:
[email protected]
Password:
MARYolanmauluogwo@ever

Targets

- Target
  
  Inv.exe
- Size
  
  744KB
- MD5
  
  f8433b692958fa0ce7659e63203b60de
- SHA1
  
  dd6595d2e6d5bdf54e718b07c94fc964eab69365
- SHA256
  
  69b49da3c4767d2ffcd713aeea8343e1aa2f0be88512fc9c4d86a932b4ee6cb5
- SHA512
  
  343ab88a59614251a2323af2b886069e5507aef04421c1b937661868a4c1c3332c60af85307b2b4dc21632c983e85372486ea6f5adfb3ffefeb11cb186718a6c
- SSDEEP
  
  12288:CopQ7vrfwkDb4lFH+Ke/zromd1UUdR1QeFVzXShXjgR8A52GkJnftMZ:1pavrfwRlFUwm3UgDQ4azRAUft
Score

10^/10

hawkeye collection discovery execution keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- Beds Protector Packer
  Detects Beds Protector packer used to load .NET malware.
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Drops startup file
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  New Order.exe
- Size
  
  439KB
- MD5
  
  cfdf487ec65b12fb598214e07d4e2449
- SHA1
  
  1a4c51f0f4d6356da677594800b4356c65da6074
- SHA256
  
  bd021089d05bee433a76c55dd186d23261a7232e55ea540c9fd63f4403071a66
- SHA512
  
  afb4fc6e187ab62f29adfef8390b74db3ba309c37fb8c57c38dd8beeaba74c11ea58643f45d9349206fdca0aaab567e067fe555368f44bdcb0401c8da0f81009
- SSDEEP
  
  12288:FecQS84fwkDIvgiFZyINBQ07P+C+g3tJ:ocn84fwjnZyoBQ07L+0t
Score

10^/10

agenttesla collection credential_access discovery execution keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla payload
- Beds Protector Packer
  Detects Beds Protector packer used to load .NET malware.
- Drops startup file
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  Quotation.exe
- Size
  
  440KB
- MD5
  
  0547c6fd5e4d632b87d2f9a3dbc88587
- SHA1
  
  022d3a644567f960a1fa692ed576a4aaf5ca72a0
- SHA256
  
  e25588ef7f6dc061277b4380dc1f9ad034f1eb74c254cd778fea2ab7fe1783ab
- SHA512
  
  bed9caa917ff25a5168017952b401f4688f0f04c0075442bcb95d891017293b403c42a1e6f43cea4fc6ee5e2e80ae90d4c19afc293283eb4e840bc8871878129
- SSDEEP
  
  12288:lmFQMGhfwkDlqSagxLFfK9YwxemjVaJW7Jt4:EFpGhfwura689YwEmjVeOt
Score

10^/10

agenttesla collection credential_access discovery execution keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla payload
- Beds Protector Packer
  Detects Beds Protector packer used to load .NET malware.
- Drops startup file
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  pictures and logo.exe
- Size
  
  669KB
- MD5
  
  4fa42a8beb305337e28cede06ceefa62
- SHA1
  
  1ad401dc70385788123ae837eea020a9c1d9e9d9
- SHA256
  
  c38b853587846014052d5b2206e8764dac66f7de9479ec3080e1872938bd7ceb
- SHA512
  
  81dc56b84e3e95169de458d5842c50347455365388b96155aa25a7fea27dc756d20180265ee2b796b2d6ebc2d04d622a6fa9259877f371e956e1458415046807
- SSDEEP
  
  12288:mEcQS8zfwkDWsWUZT3HVCuNhzmSEuH/KVTXr2tb:Fcn8zfw+WUZT3HVCuNhqWfKFXr2t
Score

10^/10

matiex collection credential_access discovery execution keylogger spyware stealer
- Matiex
  Matiex is a keylogger and infostealer first seen in July 2020.
  stealer keylogger matiex
- Matiex Main payload
- Beds Protector Packer
  Detects Beds Protector packer used to load .NET malware.
- Drops startup file
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

HawkEye

Beds Protector Packer

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Drops startup file

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

AgentTesla payload

Beds Protector Packer

Drops startup file

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Accesses Microsoft Outlook profiles

Adds Run key to start application

Suspicious use of SetThreadContext

AgentTesla

AgentTesla payload

Beds Protector Packer

Drops startup file

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Accesses Microsoft Outlook profiles

Adds Run key to start application

Suspicious use of SetThreadContext

Matiex

Matiex Main payload

Beds Protector Packer

Drops startup file

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8