General
-
Target
485c8a8ef8e81296c121ef23c12c80579b7d7c62426f62288fa10aee04d4e704
-
Size
393KB
-
Sample
220714-dt217aecb3
-
MD5
b0ca132b79d5d72014761b212a44a31c
-
SHA1
d1fda07396f1fb3ccd3ad04648d1eaec90d8500a
-
SHA256
485c8a8ef8e81296c121ef23c12c80579b7d7c62426f62288fa10aee04d4e704
-
SHA512
bc2caa5ed9ba552679d58eb2637919f5056569d9c04e2f2a3ab5226792d508a37c99102d6f90632c8f8a81de5440ad1e7977127a3b700655fa94e458bb32d4f8
Static task
static1
Behavioral task
behavioral1
Sample
PO#CWA006635.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO#CWA006635.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cpworldindia.com - Port:
587 - Username:
import.cs@ahd.cpworldindia.com - Password:
imprtcs@2019
Extracted
Protocol: smtp- Host:
mail.cpworldindia.com - Port:
587 - Username:
import.cs@ahd.cpworldindia.com - Password:
imprtcs@2019
Targets
-
-
Target
PO#CWA006635.exe
-
Size
414KB
-
MD5
8cf823ee0766126638d33918383ca5d8
-
SHA1
3b215b084b9ff049a860fc29108f62c4b6d2133b
-
SHA256
6de7efc9e04cb4db0acc603a7ed700b186d0545acd0e8e84a1d8cce668202dc8
-
SHA512
41cd0278ebb15faddd178fb826e8dc74021980f09b94ff785b1b6d88d5504c2e7b37450484666fd7a00e3c3e865459ace696c41ad84e4d0630d1ef893e93ed94
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
suricata: ET MALWARE AgentTesla Exfil Via SMTP
suricata: ET MALWARE AgentTesla Exfil Via SMTP
-
AgentTesla payload
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix
Command and Control
Credential Access
Credentials in Files
3Defense Evasion
Modify Registry
1Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Scheduled Task
1Privilege Escalation