OKTAL PHARMACEUTICAL ORDER.doc

General
Target

OKTAL PHARMACEUTICAL ORDER.doc

Size

4KB

Sample

210727-5qdpax8zyn

Score
10 /10
MD5

518568b5c3bfcaa67474cd0b448c1dde

SHA1

a72ca8d71e7a4424e6c54567bf74765ea92dbf4a

SHA256

0826832dd2b6d96d111d92f8917d86f7acd41abcfed19d9cea448b04b6b0dbeb

SHA512

972bd97c8b9c844dab8a41c5024d15850ef5cfe8efcc24300b2edea7109d889b2253d8d305a4403c4e41cb9eb1623354883f3e37b1b68075d2c61d28a2f4508d

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: mail.privateemail.com

Port: 587

Username: ddelande@quadrel-com.icu

Password: snookiep@123

Targets
Target

OKTAL PHARMACEUTICAL ORDER.doc

MD5

518568b5c3bfcaa67474cd0b448c1dde

Filesize

4KB

Score
10 /10
SHA1

a72ca8d71e7a4424e6c54567bf74765ea92dbf4a

SHA256

0826832dd2b6d96d111d92f8917d86f7acd41abcfed19d9cea448b04b6b0dbeb

SHA512

972bd97c8b9c844dab8a41c5024d15850ef5cfe8efcc24300b2edea7109d889b2253d8d305a4403c4e41cb9eb1623354883f3e37b1b68075d2c61d28a2f4508d

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • AgentTesla Payload

  • CustAttr .NET packer

    Description

    Detects CustAttr .NET packer in memory.

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                Privilege Escalation
                  Tasks

                  static1

                  behavioral2

                  1/10