General

  • Target

    QUOTE B1020363.pdf.gz

  • Size

    521KB

  • Sample

    210511-hce8zyr95x

  • MD5

    6fea9fa0c1515401c1c1b16050fa47f2

  • SHA1

    aad04e566fa2b06e48c8d99a5cbe69186d11a9bb

  • SHA256

    b33da17596e956896a4791449395b6c8eee6e9d214b645373b218bc23240e203

  • SHA512

    f23ba8880ab5341fc949680f1f6334f4e2e4508c000e1bc70bce092aac342c3ff49d9024504501b45417d3da97c961355afc0c469e6393bdfe8d3045d764f7c2

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.vivaldi.net
  • Port:
    587
  • Username:
    Graceboy123@vivaldi.net
  • Password:
    4Lmm4pew4Z3EVCn

Targets

    • Target

      QUOTE B1020363.pdf.exe

    • Size

      735KB

    • MD5

      8c817545d7ba60333a000ba5ce565776

    • SHA1

      e2c55dc26dde7b0e07b950d9753ccee89d0216f0

    • SHA256

      26799266072f7aeaf11cfe54773cd3f387dd383bb8900cf1708a8db00740d101

    • SHA512

      2beec0619d4834e696f6c30513a9007e2e0c822c0290221de050b422abdd5e99025561ada8508e085d6415479a35eaef47f7040c3b5b1bffb464f0e95316d241

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • AgentTesla Payload

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks