General

  • Target

    VWHv25hG8krG0oN.exe

  • Size

    1.1MB

  • Sample

    210122-kjm8drklgj

  • MD5

    7f82cfb27071df49570b6218613b886a

  • SHA1

    494f13242df0d1cfedada1dbf6ca8e47583bce5d

  • SHA256

    bc9bf3135e6e8e2bbe5f345843da0ac33848981d94cbd2dd540606c4397fac0b

  • SHA512

    47e499b9b645033348ec05ebdb43611bd439080d93ed69e4703b9d4a6f4651125e17a42b98738d6a11ca009fa57059724fde86c4e3bfb51c697c2c2dbb9c3fc3

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.gammavilla.org
  • Port:
    587
  • Username:
    info@gammavilla.org
  • Password:
    county2018

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.gammavilla.org
  • Port:
    587
  • Username:
    info@gammavilla.org
  • Password:
    county2018

Targets

    • Target

      VWHv25hG8krG0oN.exe

    • Size

      1.1MB

    • MD5

      7f82cfb27071df49570b6218613b886a

    • SHA1

      494f13242df0d1cfedada1dbf6ca8e47583bce5d

    • SHA256

      bc9bf3135e6e8e2bbe5f345843da0ac33848981d94cbd2dd540606c4397fac0b

    • SHA512

      47e499b9b645033348ec05ebdb43611bd439080d93ed69e4703b9d4a6f4651125e17a42b98738d6a11ca009fa57059724fde86c4e3bfb51c697c2c2dbb9c3fc3

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Collection

Data from Local System

2
T1005

Tasks