General

  • Target

    winlog.exe

  • Size

    678KB

  • Sample

    210126-ten7wzej1n

  • MD5

    73e25f09d4c7e66c2f126f49e47154aa

  • SHA1

    10f9c184b5e5f305a2e866087e0581ef23f32b28

  • SHA256

    4c197092877ec4d548bdb4a2fb4284bed16b940e701c3123fba0f25eac00664a

  • SHA512

    598c80a7772d9764698c8e1348e62ff2f270e4bb634f585436882c8a87b026ab043c7f712f49a582458de65032e4a68cd0b217a54ae32458ea728e9cafabbb95

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.sistemassg.com
  • Port:
    587
  • Username:
    teresa@sistemassg.com
  • Password:
    princehero1234

Targets

    • Target

      winlog.exe

    • Size

      678KB

    • MD5

      73e25f09d4c7e66c2f126f49e47154aa

    • SHA1

      10f9c184b5e5f305a2e866087e0581ef23f32b28

    • SHA256

      4c197092877ec4d548bdb4a2fb4284bed16b940e701c3123fba0f25eac00664a

    • SHA512

      598c80a7772d9764698c8e1348e62ff2f270e4bb634f585436882c8a87b026ab043c7f712f49a582458de65032e4a68cd0b217a54ae32458ea728e9cafabbb95

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Tasks