General

  • Target

    PI.docx.doc

  • Size

    10KB

  • Sample

    230316-jktakshg47

  • MD5

    45de2abc12fcc5f27d9114096e630ab2

  • SHA1

    262095d080b430dbba50d9ce90cfc9822952ad7d

  • SHA256

    fc62c715d35b798f1f0d8e0b6c6c7c072d7f9513e53a8d81dd54d6f8abd1987a

  • SHA512

    0d63da29f3274a988b54df0b0bda6fb0f2c35d56180a28941f4757d1eec40f72a791a1091aebf1a18a68c61aa9fdc281f5b528b0833f39e4c91cb2b271978990

  • SSDEEP

    192:ScIMmtP1aIG/bslPL++uOAl+CVWBXJC0c3YV:SPXU/slT+LOAHkZC9Y

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

http://EEEEEEE00EOE0EOE0EO0EOE0EOEOOE0EOEO0EOEO0EOEOOEE0OEOOEOE0EOEOE0OEOEOE0OEOEOOOEEQIIIIQIIQIQIQIQIIQIQIIQIQIIQIQIQI@392095676/97..........................97.......................doc

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.huiijingco.com
  • Port:
    587
  • Username:
    m@huiijingco.com
  • Password:
    lNLUrZT2

Targets

    • Target

      PI.docx.doc

    • Size

      10KB

    • MD5

      45de2abc12fcc5f27d9114096e630ab2

    • SHA1

      262095d080b430dbba50d9ce90cfc9822952ad7d

    • SHA256

      fc62c715d35b798f1f0d8e0b6c6c7c072d7f9513e53a8d81dd54d6f8abd1987a

    • SHA512

      0d63da29f3274a988b54df0b0bda6fb0f2c35d56180a28941f4757d1eec40f72a791a1091aebf1a18a68c61aa9fdc281f5b528b0833f39e4c91cb2b271978990

    • SSDEEP

      192:ScIMmtP1aIG/bslPL++uOAl+CVWBXJC0c3YV:SPXU/slT+LOAHkZC9Y

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Exploitation for Client Execution

1
T1203

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks