Order 4110043899.exe

General
Target

Order 4110043899.exe

Size

900KB

Sample

210727-lecqjbalxa

Score
10 /10
MD5

825cbb275c093bf072f2aad913868ef8

SHA1

4b2416183753e26090d043620894264fdf26f95d

SHA256

d67d60c7f4d8fb4d67571d372fc1e6ebd9cf1a12e7c4223b8bb4eb16d4c96e0c

SHA512

dd000ff1e7b68a90a058c7fe889bc2a79585d86972eff5a7d5dc6bff0197c662c2f1e2e85fd98ebc68d0ec5983e26d7083c5d6203669137d52d7583deb769e06

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: mail.ndn.edu.lb

Port: 587

Username: chefcomptable@ndn.edu.lb

Password: Lebanon-Achrafieh-39

Targets
Target

Order 4110043899.exe

MD5

825cbb275c093bf072f2aad913868ef8

Filesize

900KB

Score
10 /10
SHA1

4b2416183753e26090d043620894264fdf26f95d

SHA256

d67d60c7f4d8fb4d67571d372fc1e6ebd9cf1a12e7c4223b8bb4eb16d4c96e0c

SHA512

dd000ff1e7b68a90a058c7fe889bc2a79585d86972eff5a7d5dc6bff0197c662c2f1e2e85fd98ebc68d0ec5983e26d7083c5d6203669137d52d7583deb769e06

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • AgentTesla Payload

  • Drops file in Drivers directory

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation