General

  • Target

    220317-pcwnmadeb6_pw_infected.zip

  • Size

    377KB

  • Sample

    220317-pgntksdef4

  • MD5

    bc9eb54c14073f64e7f571b6a049bd9e

  • SHA1

    d6a34b17bd157a4eb55a0a954a6e9bfd9193a14e

  • SHA256

    cb03d01cbf3783e1d19e26a1f2ff55ce711b53df64b4ddad68367a2ea1bc6a4f

  • SHA512

    c056e31513bb253541e4141a854220119d1cbef94f27dcc21e4f9fb89d13f97dc49f0814b1cc6bd0385f6aa6d040f75d88ad8b68114a246f14ae9be8b23ed089

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Shipping Document PL&BL Draft.exe

    • Size

      1.9MB

    • MD5

      94fbe5a58977c921436351766164d747

    • SHA1

      ca7b58e4d9b4caeafa1f772e56a93363a07f6a65

    • SHA256

      8cbf496620e93736005fc69b9eb0f162e4e716786ab5e29e94ead94bf496cd02

    • SHA512

      9f11edd872bb117c1ca00bed355876ff9d87618604675aeb4988cb957d38a2bf820050cf2f4ecaf4301bcd73556d7b06a135d848d01d8bc6713a5d001baaa3a8

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • DiamondFox

      DiamondFox is a multipurpose botnet with many capabilities.

    • Registers COM server for autorun

    • AgentTesla Payload

    • Executes dropped EXE

    • Sets file execution options in registry

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Creates a Windows Service

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks