General

  • Target

    Notification-� 705643291.docx

  • Size

    10KB

  • Sample

    230417-xd3gkaff47

  • MD5

    d8b58acf46543be8923df5bfcac35303

  • SHA1

    36a368a068839d500c53e2ce69b4ccdcc7c3cf0b

  • SHA256

    9f550792a8ce146cfffd56e81195e7cab617a4b28394f3da0750409e4853b9b3

  • SHA512

    0a3e49ef143d35c3b35f87b72a9244e9fcfaf19256f15cf10db8c9bcd48591f87b70241f3311f668b5c3bca88e9c5de250ceb84c02589fc790fd1f5447ca1992

  • SSDEEP

    192:ScIMmtPGT7G/bIwXOVOyHB5SEzBC4vNq6sM63Le:SPXuT+xXOVOovhlqHC

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

http://%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23ZZZZ99999999ZZ‪‬ZZZ‪‬Z999999‪‬99ZZZZZZZ55555Z5Z5Z55Z5Z5Z5ZZZZZZZ0LLLLLLLOOOOO0000000000LLLLL00000000000OOOLLLLLLL@1806682772/w/%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23.doc

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    triihope931@gmail.com
  • Password:
    rtusdqorfxjgcjij
  • Email To:
    triihope931@gmail.com

Targets

    • Target

      Notification-� 705643291.docx

    • Size

      10KB

    • MD5

      d8b58acf46543be8923df5bfcac35303

    • SHA1

      36a368a068839d500c53e2ce69b4ccdcc7c3cf0b

    • SHA256

      9f550792a8ce146cfffd56e81195e7cab617a4b28394f3da0750409e4853b9b3

    • SHA512

      0a3e49ef143d35c3b35f87b72a9244e9fcfaf19256f15cf10db8c9bcd48591f87b70241f3311f668b5c3bca88e9c5de250ceb84c02589fc790fd1f5447ca1992

    • SSDEEP

      192:ScIMmtPGT7G/bIwXOVOyHB5SEzBC4vNq6sM63Le:SPXuT+xXOVOovhlqHC

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Scripting

1
T1064

Modify Registry

2
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks