Overview

overview

10

Static

static

8

NEW ORDER ...78.ppt

windows7_x64

10

NEW ORDER ...78.ppt

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NEW ORDER 032021-W878.ppt

  • Size

    71KB

  • Sample

    210308-xapw8zjbpj

  • MD5

    5c63ab7763e609cf490333be0be26596

  • SHA1

    a3b5eb9fcbc36854ef61ef2c25ccf9fa5c1a5260

  • SHA256

    736c4ad042343164463dce61269b4ab6101d8e34a4accbc3f2d23bb2e6a42f4a

  • SHA512

    e6ed55100eac92bf698af254a6cd4b1ba0b87a1290ff5d2fd37ea6166b4444c2267c89c5d7e8d524a5250b0b33a95004d3168924f4e4b091d1b1add8c5c5a3a9

Score
10/10
agentteslaevasionkeyloggermacromacro_on_actionpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

http://103.133.105.179/3535/inc/e93cc142f47fdc.php

Targets

    • Target

      NEW ORDER 032021-W878.ppt

    • Size

      71KB

    • MD5

      5c63ab7763e609cf490333be0be26596

    • SHA1

      a3b5eb9fcbc36854ef61ef2c25ccf9fa5c1a5260

    • SHA256

      736c4ad042343164463dce61269b4ab6101d8e34a4accbc3f2d23bb2e6a42f4a

    • SHA512

      e6ed55100eac92bf698af254a6cd4b1ba0b87a1290ff5d2fd37ea6166b4444c2267c89c5d7e8d524a5250b0b33a95004d3168924f4e4b091d1b1add8c5c5a3a9

    Score
    10/10
    persistenceagentteslaevasionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      evasiontrojan

    • AgentTesla Payload

    • Blocklisted process makes network request

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

5
T1112

Disabling Security Tools

2
T1089

Bypass User Account Control

1
T1088

Credential Access

Discovery

System Information Discovery

4
T1082

Query Registry

2
T1012

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks