Quote Request #7779510.doc

General
Target

Quote Request #7779510.doc

Size

295KB

Sample

210421-4a3nt1yvax

Score
10 /10
MD5

56031cae7ff0acf6da4b77070c607774

SHA1

c9f9047e53d83becc7c6076c899a703f1e6e1a76

SHA256

ff381561194eae8d503307490082530d0b452297e33610d219d6a116814b6447

SHA512

5ec0385f97e866da8316f9d84ec4148fbfa9a069510a71aad28b1a1a6b71d05a3155d63d8ae5e341e3123ed9441ff6b8a6a9202a5798665ecce42d3b46e53265

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
exe.dropper

httP://katchobinnas.duckdns.org/kat.exe

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: us2.smtp.mailhostbox.com

Port: 587

Username: eitaneli@pppkglobal.net

Password: yZ!RlHx2

Targets
Target

Quote Request #7779510.doc

MD5

56031cae7ff0acf6da4b77070c607774

Filesize

295KB

Score
10 /10
SHA1

c9f9047e53d83becc7c6076c899a703f1e6e1a76

SHA256

ff381561194eae8d503307490082530d0b452297e33610d219d6a116814b6447

SHA512

5ec0385f97e866da8316f9d84ec4148fbfa9a069510a71aad28b1a1a6b71d05a3155d63d8ae5e341e3123ed9441ff6b8a6a9202a5798665ecce42d3b46e53265

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • AgentTesla Payload

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    behavioral2

                    10/10