General

  • Target

    0cbbd9e6106d9799ddf5b68b94872e5e4b1254a88c1c6d1c7edb099692313951

  • Size

    463KB

  • Sample

    220521-ppk3naahgj

  • MD5

    c07dbc878c83e592b8fb6131aa8ef45d

  • SHA1

    e63533051d4b8470eb6c7686fa74e00c4a722e67

  • SHA256

    0cbbd9e6106d9799ddf5b68b94872e5e4b1254a88c1c6d1c7edb099692313951

  • SHA512

    e224fb4ea780ed5383224000c547faf9cf8820e55ee0397cdc2ba40ced5e69106b61477ee8e37184ebae73db8fdd658d6374df1c477f383c8dce0b74771355cd

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.winhalltech.com
  • Port:
    587
  • Username:
    hafizzul@winhalltech.com
  • Password:
    Hafizzul*010218

Targets

    • Target

      ?gnp.025062-OP.exe

    • Size

      592KB

    • MD5

      73649cfc570b95a7b28ea33e5922f909

    • SHA1

      2aa9319bdfcf515ce716e7ca299764011cc3e66d

    • SHA256

      8434971fe8238cbca3e48cd4f128b6c36170f263f1b07e7f942197efae39e4c0

    • SHA512

      32c958e076c89635eab4513752f9e1e26e7dc5dd018cd2541d4e7757fd3410e4ea9088a418c2bc128628f1556dc573c263c7844ebc5b4487453bcb6f987102e7

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Email Collection

1
T1114

Tasks