General

  • Target

    NEW P O.exe

  • Size

    482KB

  • Sample

    201109-f9xnwgawy6

  • MD5

    d8492d52da3b7fc82bc19b8aca351c63

  • SHA1

    a368f5ea2903bae4dc521189a09c490a215d7577

  • SHA256

    e8ea9e32e32ba57db997117b275a571e3d69793663a9e81b4f2df7616b1389b4

  • SHA512

    79e1ecee0202411b1ce9d3cc15d9eb175206471b194f5ab941ab6c391d19accc1656b03b6aa1e920b20dba2b1fe01f7ff0f91cb63d93a2a0e58d1e98a799f013

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.pptoursperu.com
  • Port:
    587
  • Username:
    info@pptoursperu.com
  • Password:
    mailppt2019-

Targets

    • Target

      NEW P O.exe

    • Size

      482KB

    • MD5

      d8492d52da3b7fc82bc19b8aca351c63

    • SHA1

      a368f5ea2903bae4dc521189a09c490a215d7577

    • SHA256

      e8ea9e32e32ba57db997117b275a571e3d69793663a9e81b4f2df7616b1389b4

    • SHA512

      79e1ecee0202411b1ce9d3cc15d9eb175206471b194f5ab941ab6c391d19accc1656b03b6aa1e920b20dba2b1fe01f7ff0f91cb63d93a2a0e58d1e98a799f013

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • rezer0

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Disables Task Manager via registry modification

    • Drops file in Drivers directory

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Tasks