General

  • Target

    will.exe

  • Size

    641KB

  • Sample

    210415-4vpgg7p2z2

  • MD5

    0d24edbababf83cfc896376cff5faa7d

  • SHA1

    a7253544a3b15c1e6e87b5e667ce2f7fe3f5d342

  • SHA256

    884e1915901c600a0e0203c06de3a208a1adba49289f7ee8f910fa112782357e

  • SHA512

    6a7286aa8436e99e4f96af8d1667e74aef312e34778a65175d564058d7f88062c9df93fe66e4c3c2d87986eef1f6ab5eea9be97cab55f125355163ff1d1914cc

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.eczanaerya.com
  • Port:
    587
  • Username:
    John@eczanaerya.com
  • Password:
    daunting@123

Targets

    • Target

      will.exe

    • Size

      641KB

    • MD5

      0d24edbababf83cfc896376cff5faa7d

    • SHA1

      a7253544a3b15c1e6e87b5e667ce2f7fe3f5d342

    • SHA256

      884e1915901c600a0e0203c06de3a208a1adba49289f7ee8f910fa112782357e

    • SHA512

      6a7286aa8436e99e4f96af8d1667e74aef312e34778a65175d564058d7f88062c9df93fe66e4c3c2d87986eef1f6ab5eea9be97cab55f125355163ff1d1914cc

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Tasks