General

  • Target

    shd.xls

  • Size

    380KB

  • Sample

    200731-hfmwynrf2n

  • MD5

    7c68cfe3c735782098888ffabc8d6e13

  • SHA1

    8da67457bd235de94c4b1340bafcf8fecca9a532

  • SHA256

    1eb7ae49135e0c3fd1e802740e5658e52eef3a38bdacbf756a33100ff6bbaad5

  • SHA512

    ed0b41f741e946045fcf4b672dc71639933453f8146fd4e12d248373d8675552cf4ad643c951495267af3d0e8331f74f9d9045e8d398f7b62fa75c2a8dee5bac

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    microsotft-office365-rules-co@yandex.ru
  • Password:
    moneymoney77

Targets

    • Target

      shd.xls

    • Size

      380KB

    • MD5

      7c68cfe3c735782098888ffabc8d6e13

    • SHA1

      8da67457bd235de94c4b1340bafcf8fecca9a532

    • SHA256

      1eb7ae49135e0c3fd1e802740e5658e52eef3a38bdacbf756a33100ff6bbaad5

    • SHA512

      ed0b41f741e946045fcf4b672dc71639933453f8146fd4e12d248373d8675552cf4ad643c951495267af3d0e8331f74f9d9045e8d398f7b62fa75c2a8dee5bac

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks