General

  • Target

    16e6d3573c9d2baff23f67eebd2cf90c3755023f3f03efb300fd0eeb5a282d7e

  • Size

    362KB

  • Sample

    220521-pyv9zsbdhr

  • MD5

    385e8870690a28b6253b3376e48b7476

  • SHA1

    fa6e3b318239d4a8e579de9fc6d1ad916bf2440c

  • SHA256

    16e6d3573c9d2baff23f67eebd2cf90c3755023f3f03efb300fd0eeb5a282d7e

  • SHA512

    6cefdb9b05607b30d0b4cc2bdae960c158e00f4b88d2b5a512b1383185ed2beff4494899c0a2149f485448fae0689436e879180f129d92b93087bb516ead5488

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.israelagroconsultant.com
  • Port:
    587
  • Username:
    info@israelagroconsultant.com
  • Password:
    israelagro@123

Targets

    • Target

      PI-CP200213001-BR-PAK-Wire Bender CHR-08-3A UR130 for (Canwin).exe

    • Size

      381KB

    • MD5

      b743c2227f2de908c452871bab7169c8

    • SHA1

      18c63dc0f8446124ada2d9bcda0b3ce8d24327de

    • SHA256

      00c549cab376f4115dfd046e19ffdfa21726213362d2dc1d035975b1686edf05

    • SHA512

      70dad470bdfeee4dddd80e1287cec58a6be6e7903f1722b25e5f2478692e992e9be93e08baff7fe5118dafb90d91c8adbd1ea7f0193be6602e6a4baa3b90f59c

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Disables Task Manager via registry modification

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Email Collection

1
T1114

Tasks