General

  • Target

    35,276.70 SWIFT.xlsx

  • Size

    469KB

  • Sample

    210421-985n89ttns

  • MD5

    72b12d5672ca2a2d758554548401568a

  • SHA1

    bd81a200472e6ccc14e1ed8e2282f3bc32ae9d29

  • SHA256

    e3df51fb381739343abac1afe4fecc7c748227b1d7f935ab8b37486d4dabc12c

  • SHA512

    934ea2b8554c6b1cf241ea42b62f416f3b8ee9e5ae6007ff9e96f22f37a6ad85ddb92110cd27adbce7e053940af7d2b4c61cd79a7a8e57e9dd538f158ab380b1

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    razilogs@razilogs.com
  • Password:
    FUCKYOU3116

Targets

    • Target

      35,276.70 SWIFT.xlsx

    • Size

      469KB

    • MD5

      72b12d5672ca2a2d758554548401568a

    • SHA1

      bd81a200472e6ccc14e1ed8e2282f3bc32ae9d29

    • SHA256

      e3df51fb381739343abac1afe4fecc7c748227b1d7f935ab8b37486d4dabc12c

    • SHA512

      934ea2b8554c6b1cf241ea42b62f416f3b8ee9e5ae6007ff9e96f22f37a6ad85ddb92110cd27adbce7e053940af7d2b4c61cd79a7a8e57e9dd538f158ab380b1

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks