General
-
Target
Tender Material for PUMPS, VALVES, STAINLESS STEEL AND GALVANIZED PIPES..doc
-
Size
475KB
-
Sample
210120-sk6gf2wjsn
-
MD5
85501a66797907eca8e3eefb91e53d85
-
SHA1
7113cecdff303bf2b54118febfe6561d9a895d5c
-
SHA256
7d87a240aebb468e295dbb43f45ab8989f78567d5869fa6365f1d94c42a10dbe
-
SHA512
8b33214896fc3cd65dcdff64b75213767353e521917ddf9d735437320e0b9562887b07239aa6e059b046155eaf92b5c181339c83df4c248348eef18727f16283
Static task
static1
Behavioral task
behavioral1
Sample
Tender Material for PUMPS, VALVES, STAINLESS STEEL AND GALVANIZED PIPES..doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Tender Material for PUMPS, VALVES, STAINLESS STEEL AND GALVANIZED PIPES..doc
Resource
win10v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
edubrazil4040@longjohn.icu - Password:
GODBLESS2021@
Targets
-
-
Target
Tender Material for PUMPS, VALVES, STAINLESS STEEL AND GALVANIZED PIPES..doc
-
Size
475KB
-
MD5
85501a66797907eca8e3eefb91e53d85
-
SHA1
7113cecdff303bf2b54118febfe6561d9a895d5c
-
SHA256
7d87a240aebb468e295dbb43f45ab8989f78567d5869fa6365f1d94c42a10dbe
-
SHA512
8b33214896fc3cd65dcdff64b75213767353e521917ddf9d735437320e0b9562887b07239aa6e059b046155eaf92b5c181339c83df4c248348eef18727f16283
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies WinLogon for persistence
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
1Modify Existing Service
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
6Disabling Security Tools
3Virtualization/Sandbox Evasion
2