General

  • Target

    6d8590e40c9c318de72f49d22c1782eb4e9a902ab3bb42d05d33416964f29844

  • Size

    1.2MB

  • Sample

    220521-mndk3scag7

  • MD5

    5f7031097fe48c72f4ba6a7eeecd987c

  • SHA1

    13fbb20fc8e42b4255dd7fbd4a6f6034acef86c1

  • SHA256

    6d8590e40c9c318de72f49d22c1782eb4e9a902ab3bb42d05d33416964f29844

  • SHA512

    6b49a9ffa7d3e98cc934cecc0aa1af570a60dfc74afc0c1cd0b31a82478cc18ff4024fab77d083f392a940def2e8f46eb93a36e8a4b43e9ef467b3aa58599ce9

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.pptoursperu.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    mailppt2019-

Targets

    • Target

      00-197-SA CONTROL-M5125.exe

    • Size

      1.7MB

    • MD5

      9f087d8b30fd9b2d64382722131337b8

    • SHA1

      1db83cf40ce6b0be89672842cbeb7c9c501877d8

    • SHA256

      b11297ccdc36a277df52b8952f8e880103bbce07e79a5bb402fc70738dc45b01

    • SHA512

      03eba2aa6926168cdbfe7a0d75bdad69017843bd5b29b5591ebbe027fd783bc74de78b1ad527d44066a51b9eba2c11350179e95e0474c95d1e237f2fc79d971c

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Disables Task Manager via registry modification

    • Drops file in Drivers directory

    • Drops startup file

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Collection

Email Collection

1
T1114

Tasks