General

  • Target

    C0R102378T17957808.eml

  • Size

    1.0MB

  • Sample

    241021-qrrtnavgrc

  • MD5

    9039d50502d931fb1dfc72173ba9916a

  • SHA1

    f3b7b07992207032b89fb4eca7069667c1b44b45

  • SHA256

    8b190d14eebd681565195bf1b3200da016e0278503441034bd92346a9051b6b1

  • SHA512

    18c70863063d9822b60f987c4a30c122395fe0b92954b5956840d26db6cdd2cdc2027c4b12368800ec4a5743936bd236a97f00ddf649426e97f9fcab21934d55

  • SSDEEP

    24576:gdpTRPz7vb5JxfvdJRDdpTR8AEPgXcg+zqYlpNsSTDhwqfS0hnlJYG9f9v/4L:I5cgi1wySmnbYGLv6

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      SWIFT 2006799120024.xlam

    • Size

      768KB

    • MD5

      a41ca3369657198fb4cc1da3ca8c2f76

    • SHA1

      57619d04d478f1acd94ace7c82d135ff4e7693fd

    • SHA256

      7faca0e3d5dbcec15d1209d157bbfb22763d9885da5aa21604e31d8c439717c5

    • SHA512

      1bb060314da6d75db06320c9b1a235c45adb492f2bff4a5727905e1a1b8c07fa09c6548bcb17584fd36ddec674628398bb6e4e18458913cc23fa49cba38526f4

    • SSDEEP

      24576:b7zEkcAKb7PW0l20GXZJJFjWoX2HGKVDu:bXEkcAq7WalSFjFX2HHC

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks