135d2c94647886d894ee45ae70ac9d0accad9860ff5c4b29397489783f56d794

General
Target

135d2c94647886d894ee45ae70ac9d0accad9860ff5c4b29397489783f56d794

Size

463KB

Sample

220521-py62gsbebj

Score
10 /10
MD5

71f73f067e32b7a3e0ea01fc73135f8e

SHA1

b7be48737d5ff3e0500b12a618ec5e83514079ac

SHA256

135d2c94647886d894ee45ae70ac9d0accad9860ff5c4b29397489783f56d794

SHA512

7776a67ed5ddadfd4336c4e8ff44f62f72699212ae79181c5e5ee442913a2e8e51f77f6c5bf943a092b2fdced98d56f431af39ddd32bfd4992afbb3c1d853607

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: mail.varda.com.tr

Port: 587

Username: info@varda.com.tr

Password: varda9997929

Targets
Target

DOC.exe

MD5

91d8c3dbdbe3db1041f438046e1bc0e0

Filesize

756KB

Score
10/10
SHA1

6bdc2ac56290abdc35be53cdc1e697166c203d81

SHA256

fe200cf4827d467a2915295f0b092c7afedfc13dde1381a74bb884e2baceb44c

SHA512

9b466c84d0c0815ead8c5691946a474daa9db3e823680acb9d0d189412b3e7dc10ecd6f1eb062637946bcef7ce1b54a1167d8c0f2abbd218c6bacb1155777e70

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • AgentTesla Payload

  • Drops file in Drivers directory

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Accesses Microsoft Outlook profiles

    Tags

    TTPs

    Email Collection
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
      Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation