General

  • Target

    69714ec6b859d1f64e57f831edd1e2a1776f7a280b7d6dc96f798c907de8ab25

  • Size

    1.2MB

  • Sample

    220520-h9k5tsfhf9

  • MD5

    415ef46d9713b615f324fd20702639cb

  • SHA1

    c0583b7468fef3b33bf4d9671c4a774900ae6151

  • SHA256

    69714ec6b859d1f64e57f831edd1e2a1776f7a280b7d6dc96f798c907de8ab25

  • SHA512

    b0addd6e5cf49dc63c388f1086366e3deb4128c04230c15315a1f08ff920f76505dfd96c056a537b127badf2c86899ee4be1025ca5d8e3addaca19f871ec0890

Malware Config

Targets

    • Target

      Beykar PO10301943427 copy- xls.exe

    • Size

      1.3MB

    • MD5

      f8d29431dde6dd65e034b99c29ce9c64

    • SHA1

      0c23620a0070f37794b895c35d7afe1de83bc36f

    • SHA256

      d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d

    • SHA512

      844d18e3694ba0ef27c80bfc7a5638cf221559a4fa7e32383e84e9e0b095bdb342cc751ef8e2f39f6b95d438707bbb083434f753d00dbb2fafb5bd666ab6caae

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Detected potential entity reuse from brand microsoft.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Tasks