General

  • Target

    SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223

  • Size

    877KB

  • Sample

    210727-fnjb9ghsdn

  • MD5

    62b3afbdddfb88d96f76df2afd3bd8f2

  • SHA1

    02d47da3c2f80960e94abbd69a316c0ef9cbc298

  • SHA256

    232d3e2c32dfde5713153e9ba4a2c08b6e51766f5eef4575a821410edef4a495

  • SHA512

    4b1838c2bf67f7d567d2276b06aa5b4797ef017f0c1208307ebc0a13bd344ff6d2a81e96c7daf89c8f9c5c34a7141f7d936196792dc7aa79a86b370c9b6eba44

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    uscentral50.myserverhosts.com
  • Port:
    587
  • Username:
    sales@radheatwaters.com
  • Password:
    waters@789

Targets

    • Target

      SecuriteInfo.com.Trojan.Win32.Save.a.14998.30223

    • Size

      877KB

    • MD5

      62b3afbdddfb88d96f76df2afd3bd8f2

    • SHA1

      02d47da3c2f80960e94abbd69a316c0ef9cbc298

    • SHA256

      232d3e2c32dfde5713153e9ba4a2c08b6e51766f5eef4575a821410edef4a495

    • SHA512

      4b1838c2bf67f7d567d2276b06aa5b4797ef017f0c1208307ebc0a13bd344ff6d2a81e96c7daf89c8f9c5c34a7141f7d936196792dc7aa79a86b370c9b6eba44

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Drops file in Drivers directory

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks