General

  • Target

    Purchase Order BP2000905.exe

  • Size

    872KB

  • Sample

    200708-8m9pv33yx6

  • MD5

    69a1b2134ce94b111bd90d9cf551e54d

  • SHA1

    652ba3bd742261a6c5169c33c8756750f745d7e1

  • SHA256

    cb1927e26dcf4dc646884e37de470cf002be82095aa7b6d1d4230f78c34b26ca

  • SHA512

    434c9dca539fad2fcecbacfc67107d3c28292bf8ee029915c8be4d5e946453bae8b357d9df9da43bab0d1a32ecaf743a920ca980219cd58be42ae00edb491a0c

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.multilprollc.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    e#^buPC8

Targets

    • Target

      Purchase Order BP2000905.exe

    • Size

      872KB

    • MD5

      69a1b2134ce94b111bd90d9cf551e54d

    • SHA1

      652ba3bd742261a6c5169c33c8756750f745d7e1

    • SHA256

      cb1927e26dcf4dc646884e37de470cf002be82095aa7b6d1d4230f78c34b26ca

    • SHA512

      434c9dca539fad2fcecbacfc67107d3c28292bf8ee029915c8be4d5e946453bae8b357d9df9da43bab0d1a32ecaf743a920ca980219cd58be42ae00edb491a0c

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks