General

  • Target

    RFQ Ranger Neo.doc

  • Size

    4KB

  • Sample

    210721-rb7365dyzs

  • MD5

    d51db0f037f97835cb334b38b4ce772f

  • SHA1

    ebdd88a747493385c96da530271e214df874f0ab

  • SHA256

    9eb87a2416b79b100ca24fa57d1bfa15fcce90a44f5cbb10353ed7e873394753

  • SHA512

    094f8019710b1a176bd5bc55ad34ce36f7e01944d1376ffd8bde1b807bbd4e6cfc02c2903027acf0b6912a0a9d6f39ce3397d37e4106584a6187e90a9483f966

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Neways@123

Targets

    • Target

      RFQ Ranger Neo.doc

    • Size

      4KB

    • MD5

      d51db0f037f97835cb334b38b4ce772f

    • SHA1

      ebdd88a747493385c96da530271e214df874f0ab

    • SHA256

      9eb87a2416b79b100ca24fa57d1bfa15fcce90a44f5cbb10353ed7e873394753

    • SHA512

      094f8019710b1a176bd5bc55ad34ce36f7e01944d1376ffd8bde1b807bbd4e6cfc02c2903027acf0b6912a0a9d6f39ce3397d37e4106584a6187e90a9483f966

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks