General

  • Target

    RFQ No3756368.doc

  • Size

    75KB

  • Sample

    210727-5wgd92741j

  • MD5

    b156ed4230557289721a0256a6aa23ea

  • SHA1

    59d8da9d1c4ec783f59d9c6ba330e4392151cb9a

  • SHA256

    8e97e85fd5881e5f4f31f95f5bc13de014ab3a3f278fec651f5208a73f22259e

  • SHA512

    8c1e68f8f497becf235c453c23eab1638ca4ceb283e92ab221ec366ed24b10152e4e2301fbf3739f095dc32c4b3f6fcec3432d587440fe54d4e2d6e7c6ef2d91

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.camerapro.co.za
  • Port:
    587
  • Username:
    orders@camerapro.co.za
  • Password:
    JJJ65259sss

Targets

    • Target

      RFQ No3756368.doc

    • Size

      75KB

    • MD5

      b156ed4230557289721a0256a6aa23ea

    • SHA1

      59d8da9d1c4ec783f59d9c6ba330e4392151cb9a

    • SHA256

      8e97e85fd5881e5f4f31f95f5bc13de014ab3a3f278fec651f5208a73f22259e

    • SHA512

      8c1e68f8f497becf235c453c23eab1638ca4ceb283e92ab221ec366ed24b10152e4e2301fbf3739f095dc32c4b3f6fcec3432d587440fe54d4e2d6e7c6ef2d91

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Exploitation for Client Execution

1
T1203

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks