General

  • Target

    shipment document.doc

  • Size

    1.9MB

  • Sample

    210126-7z28qlcfhs

  • MD5

    bc7f085da0717ce2b087f9743d2663d6

  • SHA1

    c148128be910afd96d77afe815f8b3c6f41e4801

  • SHA256

    fdf939f394771c4e6a044924046b7082e87bbd2536fc2efe478bd0cc5753b2d8

  • SHA512

    737dded6e4ebf73f2d6948cb4e01cae47d92d178bc2f37486d65c8935a322546edb1f26c232689e09c6e77320d85999832785557554d3658b3d2844d5a9dff9c

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.atulvideo.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    WR@Q]rUZ-eQ#

Targets

    • Target

      shipment document.doc

    • Size

      1.9MB

    • MD5

      bc7f085da0717ce2b087f9743d2663d6

    • SHA1

      c148128be910afd96d77afe815f8b3c6f41e4801

    • SHA256

      fdf939f394771c4e6a044924046b7082e87bbd2536fc2efe478bd0cc5753b2d8

    • SHA512

      737dded6e4ebf73f2d6948cb4e01cae47d92d178bc2f37486d65c8935a322546edb1f26c232689e09c6e77320d85999832785557554d3658b3d2844d5a9dff9c

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Exploitation for Client Execution

1
T1203

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

3
T1005

Tasks