General

  • Target

    S_0004983002218_07_05_2020.exe

  • Size

    538KB

  • Sample

    201109-8t3b9yshwa

  • MD5

    e0bf3b5b7e427bf37687c7138fad0ed6

  • SHA1

    06982a0b678a1fdba05516919dfe775865739778

  • SHA256

    403ebe632490ce66b85d75f17ae996cfd0a89294e2c2cce1bcef66b5d4278a18

  • SHA512

    a5d891f820cb96dfdf3b2c990b5b244dad30235135d58d48d4ea10c06544e04cfc3c51141526394d23ce344bc9a11e9085d408febd000a2a490b165938a9274d

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.reacsa.com.mx
  • Port:
    587
  • Username:
    sucursal_puebla@reacsa.com.mx
  • Password:
    (MzImXmp2u)!

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.reacsa.com.mx
  • Port:
    587
  • Username:
    sucursal_puebla@reacsa.com.mx
  • Password:
    (MzImXmp2u)!

Targets

    • Target

      S_0004983002218_07_05_2020.exe

    • Size

      538KB

    • MD5

      e0bf3b5b7e427bf37687c7138fad0ed6

    • SHA1

      06982a0b678a1fdba05516919dfe775865739778

    • SHA256

      403ebe632490ce66b85d75f17ae996cfd0a89294e2c2cce1bcef66b5d4278a18

    • SHA512

      a5d891f820cb96dfdf3b2c990b5b244dad30235135d58d48d4ea10c06544e04cfc3c51141526394d23ce344bc9a11e9085d408febd000a2a490b165938a9274d

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    • AgentTesla Payload

    • rezer0

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

3
T1005

Tasks