General

  • Target

    92c492_8f22087a2c0740eba07c3aea05e107e7.ps1

  • Size

    759KB

  • Sample

    211019-l1s1vsgeej

  • MD5

    cbc2d2fda4346646489382819fb07d61

  • SHA1

    9b3768e6676984c90a0ad251a588e6b0ecfca365

  • SHA256

    d2606cc6318b1e0c21de14cf79f8e06652e783e9239c84eec8bd2b0582ab6cd2

  • SHA512

    72ca8ceaf15aca5400e4504c9fd521414b7a4330fc9bd0cf3c31caf62f20227fb34c4c9b68f7cf756d64ffc687fb0d33435cc200a001def42ff16dfbbabdb059

Malware Config

Extracted

Family

agenttesla

C2

http://103.125.190.248/j/p13n/mawa/b04042b22b2b6179257d.php

Targets

    • Target

      92c492_8f22087a2c0740eba07c3aea05e107e7.ps1

    • Size

      759KB

    • MD5

      cbc2d2fda4346646489382819fb07d61

    • SHA1

      9b3768e6676984c90a0ad251a588e6b0ecfca365

    • SHA256

      d2606cc6318b1e0c21de14cf79f8e06652e783e9239c84eec8bd2b0582ab6cd2

    • SHA512

      72ca8ceaf15aca5400e4504c9fd521414b7a4330fc9bd0cf3c31caf62f20227fb34c4c9b68f7cf756d64ffc687fb0d33435cc200a001def42ff16dfbbabdb059

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Drops file in Drivers directory

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks