General

  • Target

    PO_DEA83657-ARF-(QR - 0621).exe

  • Size

    943KB

  • Sample

    210727-lg1cf51hf6

  • MD5

    465925dd7f0d7f41b5fff771e3cb8358

  • SHA1

    a7aa00da7f562e127c66e0c63b13ddde78fc3b08

  • SHA256

    9a5ea80dc3f334116c002ab185a5f54f80c72bcd11fcf5051b0a2e3a7704a3df

  • SHA512

    28c8db63e8706692d8350c1bb90b7f3a9ff37f3e66e5e3f96dfff34b7f0b6915525e156d08313e541086e6c1bac94e1c7d00060c83a0ac31354755290de493e5

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.aetheredbs.com
  • Port:
    587
  • Username:
    purchase1@aetheredbs.com
  • Password:
    AtVywhA4

Targets

    • Target

      PO_DEA83657-ARF-(QR - 0621).exe

    • Size

      943KB

    • MD5

      465925dd7f0d7f41b5fff771e3cb8358

    • SHA1

      a7aa00da7f562e127c66e0c63b13ddde78fc3b08

    • SHA256

      9a5ea80dc3f334116c002ab185a5f54f80c72bcd11fcf5051b0a2e3a7704a3df

    • SHA512

      28c8db63e8706692d8350c1bb90b7f3a9ff37f3e66e5e3f96dfff34b7f0b6915525e156d08313e541086e6c1bac94e1c7d00060c83a0ac31354755290de493e5

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

3
T1005

Tasks