General

  • Target

    citat.exe

  • Size

    507KB

  • Sample

    200707-1jflz5dm96

  • MD5

    4c0812477679e4c34663933be5c5f9fb

  • SHA1

    3c3df6e2bb55f8870b9eb9da60008ea58972a20e

  • SHA256

    66b15ee82b31364bbb038c7a2f60fac0057d01b0865b2b71a4418293fc9e056d

  • SHA512

    35868df44b9faf661bd916d5210e5229863838d609f2056f1b6da9e148d588dba5516aa296adad2f42f74e9b13d7ece042b26424820b038025106fb7f0822aa4

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    kalle.a@yandex.com
  • Password:
    SENEGAL12345

Targets

    • Target

      citat.exe

    • Size

      507KB

    • MD5

      4c0812477679e4c34663933be5c5f9fb

    • SHA1

      3c3df6e2bb55f8870b9eb9da60008ea58972a20e

    • SHA256

      66b15ee82b31364bbb038c7a2f60fac0057d01b0865b2b71a4418293fc9e056d

    • SHA512

      35868df44b9faf661bd916d5210e5229863838d609f2056f1b6da9e148d588dba5516aa296adad2f42f74e9b13d7ece042b26424820b038025106fb7f0822aa4

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Tasks