General

  • Target

    BANK COPY.doc

  • Size

    440KB

  • Sample

    211021-rk3s1sbcen

  • MD5

    978891042c401f4f06a7575d86c62533

  • SHA1

    1e51fadad4f54b068a3693aec6693c78feba3ee0

  • SHA256

    828803e774a6a8a421b89862344bcce0445e8f38664baa1ceea169633fb3a73a

  • SHA512

    71dd81bae7d55713a4716a29ece7af66d5a6d73d835b08bda29fdefe9d98a8a11921b64d6825f52a9e55cc9c087008811abb330c8c247d0c573b0a4eca83adaa

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.vivaldi.net
  • Port:
    587
  • Username:
    masterwork123oshe@vivaldi.net
  • Password:
    payment@1234

Targets

    • Target

      BANK COPY.doc

    • Size

      440KB

    • MD5

      978891042c401f4f06a7575d86c62533

    • SHA1

      1e51fadad4f54b068a3693aec6693c78feba3ee0

    • SHA256

      828803e774a6a8a421b89862344bcce0445e8f38664baa1ceea169633fb3a73a

    • SHA512

      71dd81bae7d55713a4716a29ece7af66d5a6d73d835b08bda29fdefe9d98a8a11921b64d6825f52a9e55cc9c087008811abb330c8c247d0c573b0a4eca83adaa

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks