General

  • Target

    July Order 1 jpg.exe

  • Size

    1.1MB

  • Sample

    210727-x376qjzezs

  • MD5

    6fc8a7966aa650e9bde3b05dbf553466

  • SHA1

    3b4aa0d3612ba04d0ccd700912b7ba4d685e31d5

  • SHA256

    76895d99680852f9ccb3bc6e2bd937bdd76da6dc16b1e6704e804be92f40c2e5

  • SHA512

    05b061c677dc335bf15374001c15df2c58359b035c29328ae11984fc139d4cffd184dcf3223548aae06fd663b07388a2506e835cc5701b3267fd6f91416d7192

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.palletsolutions.ca
  • Port:
    587
  • Username:
    eloglogs@palletsolutions.ca
  • Password:
    h~Q+QV.(M2?!

Targets

    • Target

      July Order 1 jpg.exe

    • Size

      1.1MB

    • MD5

      6fc8a7966aa650e9bde3b05dbf553466

    • SHA1

      3b4aa0d3612ba04d0ccd700912b7ba4d685e31d5

    • SHA256

      76895d99680852f9ccb3bc6e2bd937bdd76da6dc16b1e6704e804be92f40c2e5

    • SHA512

      05b061c677dc335bf15374001c15df2c58359b035c29328ae11984fc139d4cffd184dcf3223548aae06fd663b07388a2506e835cc5701b3267fd6f91416d7192

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Tasks