General

  • Target

    Orden de Compra OC 5740 07_2020.exe

  • Size

    835KB

  • Sample

    200707-n78je58x8n

  • MD5

    05040c9d88fcf3d311e2ffd326cda889

  • SHA1

    bc8d56acfc1a9e641874d02abc9656d5ee875ef1

  • SHA256

    be4792f7f371c8af4e9aed12690c8133dd745e6c4ac5cda2af61b2a94e0f9449

  • SHA512

    366a5af94776e2c06387bacc9cc0f848af4b484578f776982825508f067e7a23fa5dccc2ef104da997bb0fd8d5c02881dd22db9d3482c70851061b188288dd5b

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.corroshield.co.id
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    sulastri2011

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.corroshield.co.id
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    sulastri2011

Targets

    • Target

      Orden de Compra OC 5740 07_2020.exe

    • Size

      835KB

    • MD5

      05040c9d88fcf3d311e2ffd326cda889

    • SHA1

      bc8d56acfc1a9e641874d02abc9656d5ee875ef1

    • SHA256

      be4792f7f371c8af4e9aed12690c8133dd745e6c4ac5cda2af61b2a94e0f9449

    • SHA512

      366a5af94776e2c06387bacc9cc0f848af4b484578f776982825508f067e7a23fa5dccc2ef104da997bb0fd8d5c02881dd22db9d3482c70851061b188288dd5b

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks