Overview

overview

10

Static

static

8

DHL-3-12-20.ppt

windows7_x64

10

DHL-3-12-20.ppt

windows10_x64

10

Resubmissions

04-12-2020 15:10

201204-8gygfx3f4n 10

03-12-2020 19:57

201203-9dqckex96j 8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DHL-3-12-20.ppt

  • Size

    308KB

  • Sample

    201204-8gygfx3f4n

  • MD5

    e1545289a3051a400be31e9e485b7a96

  • SHA1

    060222f611579360d83699f58c2b16c202ce0440

  • SHA256

    4032b7730b04a326f49c57f9b140b94332f87d5d0bf4c33ebfaee973527f822d

  • SHA512

    c37d2d296b52e12e28265406b9b6b7f5944b2bae473f5bd6ede18a5ccff3dc024fa0ea5dfd026e4d3931883cf252c2dd4d67a5bbde1e41b822aa5177974f788e

Score
10/10
agentteslakeyloggermacromacro_on_actionpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

http://69.174.99.26/webpanel-ice/inc/a297721577bf46.php

Targets

    • Target

      DHL-3-12-20.ppt

    • Size

      308KB

    • MD5

      e1545289a3051a400be31e9e485b7a96

    • SHA1

      060222f611579360d83699f58c2b16c202ce0440

    • SHA256

      4032b7730b04a326f49c57f9b140b94332f87d5d0bf4c33ebfaee973527f822d

    • SHA512

      c37d2d296b52e12e28265406b9b6b7f5944b2bae473f5bd6ede18a5ccff3dc024fa0ea5dfd026e4d3931883cf252c2dd4d67a5bbde1e41b822aa5177974f788e

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • AgentTesla Payload

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks