General

  • Target

    ABSA Bank_Payment Advice copy.doc

  • Size

    3.3MB

  • Sample

    210727-gljpf5b6sn

  • MD5

    dc27adc9ac30cc0de96a0babf896cc74

  • SHA1

    984fd4d264aad2432654aee42fefa1d2c7191081

  • SHA256

    1c70882051a5b725ee8ac98b24ad6e6a1b867dcad1cdb5acf82e84fe4f8cc109

  • SHA512

    cd38ba8a03d597f03278141fee445012aaa125105fbce21f4b00be697570a4505b24e31164d6ae9080720d2caa97e1b5f9b38ea0d9bb10d80407a508a9c62ba7

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.meyaargroup.com
  • Port:
    587
  • Username:
    info@meyaargroup.com
  • Password:
    Meyaar@123$

Targets

    • Target

      ABSA Bank_Payment Advice copy.doc

    • Size

      3.3MB

    • MD5

      dc27adc9ac30cc0de96a0babf896cc74

    • SHA1

      984fd4d264aad2432654aee42fefa1d2c7191081

    • SHA256

      1c70882051a5b725ee8ac98b24ad6e6a1b867dcad1cdb5acf82e84fe4f8cc109

    • SHA512

      cd38ba8a03d597f03278141fee445012aaa125105fbce21f4b00be697570a4505b24e31164d6ae9080720d2caa97e1b5f9b38ea0d9bb10d80407a508a9c62ba7

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File

    • AgentTesla Payload

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Exploitation for Client Execution

1
T1203

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks