General

  • Target

    swift copy.zip

  • Size

    746KB

  • Sample

    201201-lbk71xggyx

  • MD5

    6dc84a743d5c070d76df2c5f7928bb77

  • SHA1

    ddaf7a0a1bd4a9591b2e0fc2785f5e1bd9aef613

  • SHA256

    2ba9db3110899e60daeecb086d4f53adc1cfab127820db3d230c383e74f7172c

  • SHA512

    738dc6a2a136bcf8ee8535db8e13eb1c47c3b93579fbd34eb3783e1515e100d11c93395423263624f4172e93f3cbb0f64d2ce69460ae699f0798e23bfd8060ea

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.polimeter.com
  • Port:
    587
  • Username:
    info@polimeter.com
  • Password:
    5337776740

Targets

    • Target

      swift copy.exe

    • Size

      789KB

    • MD5

      61103d8d0d139971f7f2b81715156a73

    • SHA1

      42d579f94d175c121434512b1675b6c4b84cf72b

    • SHA256

      9d626bb9d442d3762e5366f0fbefae41708936b9c254141fcf3b0a1b80291ebb

    • SHA512

      c7c4f3a5eb87a835290973478015b4baeb83a60163968d0a9856420862297855a2a4f4f1f81e6bc44563274b34651cbe9e01db60a0708108a8f3549dc8d0893f

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Tasks