General

  • Target

    11203780.xls

  • Size

    172KB

  • Sample

    200630-qscm33xjcj

  • MD5

    14b2d3f08ad6543c060d19748f526167

  • SHA1

    b10646324228a4b21154ef6e7d9d5469a61364e7

  • SHA256

    7c3822b0015e740bb3e9a1c4d0d5da368cae8117a820152377d41de49ff3ca36

  • SHA512

    e800b1d0531a7e5931d6ad9e1cd48003e80d0f366e62f55e6dd17de5613bed9bd431ee40d0baa42e51389d30c1d9509a83e6878faa11f11d8e5745725035766b

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    pagejeffrey@yandex.com
  • Password:
    $44#@weC0*

Targets

    • Target

      11203780.xls

    • Size

      172KB

    • MD5

      14b2d3f08ad6543c060d19748f526167

    • SHA1

      b10646324228a4b21154ef6e7d9d5469a61364e7

    • SHA256

      7c3822b0015e740bb3e9a1c4d0d5da368cae8117a820152377d41de49ff3ca36

    • SHA512

      e800b1d0531a7e5931d6ad9e1cd48003e80d0f366e62f55e6dd17de5613bed9bd431ee40d0baa42e51389d30c1d9509a83e6878faa11f11d8e5745725035766b

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • AgentTesla Payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Use of msiexec (install) with remote resource

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

4
T1082

Collection

Data from Local System

3
T1005

Tasks