SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223

General
Target

SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223

Size

877KB

Sample

210727-fnjb9ghsdn

Score
10 /10
MD5

62b3afbdddfb88d96f76df2afd3bd8f2

SHA1

02d47da3c2f80960e94abbd69a316c0ef9cbc298

SHA256

232d3e2c32dfde5713153e9ba4a2c08b6e51766f5eef4575a821410edef4a495

SHA512

4b1838c2bf67f7d567d2276b06aa5b4797ef017f0c1208307ebc0a13bd344ff6d2a81e96c7daf89c8f9c5c34a7141f7d936196792dc7aa79a86b370c9b6eba44

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: uscentral50.myserverhosts.com

Port: 587

Username: sales@radheatwaters.com

Password: waters@789

Targets
Target

SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223

MD5

62b3afbdddfb88d96f76df2afd3bd8f2

Filesize

877KB

Score
10 /10
SHA1

02d47da3c2f80960e94abbd69a316c0ef9cbc298

SHA256

232d3e2c32dfde5713153e9ba4a2c08b6e51766f5eef4575a821410edef4a495

SHA512

4b1838c2bf67f7d567d2276b06aa5b4797ef017f0c1208307ebc0a13bd344ff6d2a81e96c7daf89c8f9c5c34a7141f7d936196792dc7aa79a86b370c9b6eba44

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • AgentTesla Payload

  • CustAttr .NET packer

    Description

    Detects CustAttr .NET packer in memory.

  • Drops file in Drivers directory

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation