General

  • Target

    126503018.eml.zip

  • Size

    3KB

  • Sample

    210421-rxs2ek9d4s

  • MD5

    112815430ea71ae812e30d1c596c9ad9

  • SHA1

    28341737f4e6a8e3b2eac4bdf713dee94640a2ef

  • SHA256

    28425375bde8a9d13ac9b57ccc32f046b2c7bebdf592b5af2d85146d565e9a9e

  • SHA512

    e35df2e4850bceea76a15d6981d97ffd893589394b6cecd5512f614db290de118c85626b1a6ad01a48e2970eec9efe7472bde2601e6ada1eb3b57c105563916d

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    prodip@precisionenergy.me
  • Password:
    @Mexico1.,

Targets

    • Target

      Purchase Order.doc

    • Size

      4KB

    • MD5

      9ef6eb1c4c2bc4c409fc59e4bbf36854

    • SHA1

      e4e956b1f7e500073bab3ccef88e6c4bf784c663

    • SHA256

      9aec6bdb253c4e34d6f4629baadc8a01d4674ac5bd084b791820160ed27d2b2b

    • SHA512

      45764eb0feb82a7da251461fcf02e56e7b6468a4f45c89f8b3a9826cc81444d50126ad0595d7c19e3e551530763ee8fe94a37423316dd102e990a71fb829d1ca

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Exploitation for Client Execution

1
T1203

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks