General

  • Target

    NEWPO-CEAUSTRALIA PTY LTD.xls

  • Size

    60KB

  • Sample

    210511-y9gz2hkhf6

  • MD5

    30f70aa50b3b8186d1f0852bfeb46aa7

  • SHA1

    8e606582f75aba27aad87c6a0628fd8d26969e22

  • SHA256

    0127ed2d5c88bea1754efc672d6990dab2ea987fa76d6047cf0807b7f8bd9208

  • SHA512

    27b7eb0751b3ca57a2cdf3035df8213fa970394d5c0bfb2d2ec2aa53d0f2693b98299adab9d811ea959177c4a2b290a461b43eb0e028fc5dce8d821d209f45e3

Malware Config

Extracted

Family

agenttesla

C2

http://103.151.125.220/me/file1919/inc/8b183a1ede460a.php

Targets

    • Target

      NEWPO-CEAUSTRALIA PTY LTD.xls

    • Size

      60KB

    • MD5

      30f70aa50b3b8186d1f0852bfeb46aa7

    • SHA1

      8e606582f75aba27aad87c6a0628fd8d26969e22

    • SHA256

      0127ed2d5c88bea1754efc672d6990dab2ea987fa76d6047cf0807b7f8bd9208

    • SHA512

      27b7eb0751b3ca57a2cdf3035df8213fa970394d5c0bfb2d2ec2aa53d0f2693b98299adab9d811ea959177c4a2b290a461b43eb0e028fc5dce8d821d209f45e3

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • AgentTesla Payload

    • Blocklisted process makes network request

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks