General

  • Target

    TRM76EWDS.com

  • Size

    401KB

  • Sample

    200630-hyg893f9vn

  • MD5

    fa54db10aba75c0b629fea0c37e64de3

  • SHA1

    931097d1be9092432b8ebb04c0a96f36060aa7ea

  • SHA256

    052148f226d2b1e51ca7318eacda6906765138d2e28b290558a2b7003e9f6634

  • SHA512

    c2e43e5eecc0bcb99ce08a3ffae9bd80867ad48ffd20f00c949f5d28d04677f1744edcd8f7a93efa78a512b5e62cd25ca59413078a845a5f5ba9c2ae62b4024e

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    dubemlogszz@lascostoolsc.xyz
  • Password:
    dubem@4000XAXAX

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    dubemlogszz@lascostoolsc.xyz
  • Password:
    dubem@4000XAXAX

Targets

    • Target

      TRM76EWDS.com

    • Size

      401KB

    • MD5

      fa54db10aba75c0b629fea0c37e64de3

    • SHA1

      931097d1be9092432b8ebb04c0a96f36060aa7ea

    • SHA256

      052148f226d2b1e51ca7318eacda6906765138d2e28b290558a2b7003e9f6634

    • SHA512

      c2e43e5eecc0bcb99ce08a3ffae9bd80867ad48ffd20f00c949f5d28d04677f1744edcd8f7a93efa78a512b5e62cd25ca59413078a845a5f5ba9c2ae62b4024e

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

    • Drops file in Drivers directory

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

1
T1112

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Tasks