General

  • Target

    IMG_057_163_22.doc

  • Size

    183KB

  • Sample

    210511-y4361ngz12

  • MD5

    49ad6fb2dca5d329f6c458ebb172f35f

  • SHA1

    814e7ee66ade2d0b7eeca2f4c655709939b31ac9

  • SHA256

    69ac0d42dce05bcd01273fc11a1a73fa7d6ab446ef129677940a328aa8f1e4d2

  • SHA512

    310e428d16cbb69d2e48c18193716481e5db09c985438bbe1049140a3ff4c5c77aa5ffd83f9343784ee9bb5be7b572e565f04c0c1109b59cae6923976a2a35dd

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    sixjan.club
  • Port:
    587
  • Username:
    andle@sixjan.club
  • Password:
    j&2^(}d4gD}u

Targets

    • Target

      IMG_057_163_22.doc

    • Size

      183KB

    • MD5

      49ad6fb2dca5d329f6c458ebb172f35f

    • SHA1

      814e7ee66ade2d0b7eeca2f4c655709939b31ac9

    • SHA256

      69ac0d42dce05bcd01273fc11a1a73fa7d6ab446ef129677940a328aa8f1e4d2

    • SHA512

      310e428d16cbb69d2e48c18193716481e5db09c985438bbe1049140a3ff4c5c77aa5ffd83f9343784ee9bb5be7b572e565f04c0c1109b59cae6923976a2a35dd

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks