General

  • Target

    135d2c94647886d894ee45ae70ac9d0accad9860ff5c4b29397489783f56d794

  • Size

    463KB

  • Sample

    220521-py62gsbebj

  • MD5

    71f73f067e32b7a3e0ea01fc73135f8e

  • SHA1

    b7be48737d5ff3e0500b12a618ec5e83514079ac

  • SHA256

    135d2c94647886d894ee45ae70ac9d0accad9860ff5c4b29397489783f56d794

  • SHA512

    7776a67ed5ddadfd4336c4e8ff44f62f72699212ae79181c5e5ee442913a2e8e51f77f6c5bf943a092b2fdced98d56f431af39ddd32bfd4992afbb3c1d853607

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.varda.com.tr
  • Port:
    587
  • Username:
    info@varda.com.tr
  • Password:
    varda9997929

Targets

    • Target

      DOC.exe

    • Size

      756KB

    • MD5

      91d8c3dbdbe3db1041f438046e1bc0e0

    • SHA1

      6bdc2ac56290abdc35be53cdc1e697166c203d81

    • SHA256

      fe200cf4827d467a2915295f0b092c7afedfc13dde1381a74bb884e2baceb44c

    • SHA512

      9b466c84d0c0815ead8c5691946a474daa9db3e823680acb9d0d189412b3e7dc10ecd6f1eb062637946bcef7ce1b54a1167d8c0f2abbd218c6bacb1155777e70

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Email Collection

1
T1114

Tasks