Overview

overview

10

Static

static

8

PO944888299393.pps

windows7_x64

10

PO944888299393.pps

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO944888299393.pps

  • Size

    77KB

  • Sample

    210422-cqxxx5rs1x

  • MD5

    858604f0166fa58fe09e96988a87477c

  • SHA1

    bed0b866c6b8cc1048153b22e96a51f464d6582b

  • SHA256

    18b7a818fd88133d309ce7191e9c3eb85a3b31d0bbaf2c08df0f1cbdc26a7513

  • SHA512

    d05a52ed607c6b96875428b8f3aa379c5460db17e6480e5bb3bfbdf0ba72fd895acb523b846413e99ca1d056a371462df94ca1556cd98ac2e1f0be1144da596d

Score
10/10
agentteslakeyloggermacropersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

http://103.133.105.179/909/inc/29e2365d4334a8.php

Targets

    • Target

      PO944888299393.pps

    • Size

      77KB

    • MD5

      858604f0166fa58fe09e96988a87477c

    • SHA1

      bed0b866c6b8cc1048153b22e96a51f464d6582b

    • SHA256

      18b7a818fd88133d309ce7191e9c3eb85a3b31d0bbaf2c08df0f1cbdc26a7513

    • SHA512

      d05a52ed607c6b96875428b8f3aa379c5460db17e6480e5bb3bfbdf0ba72fd895acb523b846413e99ca1d056a371462df94ca1556cd98ac2e1f0be1144da596d

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • AgentTesla Payload

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks