General

  • Target

    Purchase List.exe

  • Size

    684KB

  • Sample

    210225-nfnqg6gtys

  • MD5

    e4cf61f665f6162275d903ae9704ab4b

  • SHA1

    fae35b4255e8d21822800c06b6bebc467730e422

  • SHA256

    902e08a184d5a096905397464b5add020e541af01a856e33935763ceb42f1205

  • SHA512

    150179452260cd2c946d312755b20584295645763d4e03152143fd74d55201f8ecb5c1082129b560bcd2a95ada411309a7bcf3db5fd761fc3cf19b3dae1ac3b2

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.estagold.com.my
  • Port:
    587
  • Username:
    admin@estagold.com.my
  • Password:
    estagold202584

Targets

    • Target

      Purchase List.exe

    • Size

      684KB

    • MD5

      e4cf61f665f6162275d903ae9704ab4b

    • SHA1

      fae35b4255e8d21822800c06b6bebc467730e422

    • SHA256

      902e08a184d5a096905397464b5add020e541af01a856e33935763ceb42f1205

    • SHA512

      150179452260cd2c946d312755b20584295645763d4e03152143fd74d55201f8ecb5c1082129b560bcd2a95ada411309a7bcf3db5fd761fc3cf19b3dae1ac3b2

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Tasks