General

  • Target

    PO210322114527_HURMET CIKOLATA SEKERLEME GIDA SAN TIC LTD STI.exe

  • Size

    276KB

  • Sample

    210408-5ywzmt46v2

  • MD5

    ea1a31948e07ee79361c9bc1ee8b176d

  • SHA1

    ea8c3f08a9a72e7794c30464154ea3a32eec6511

  • SHA256

    29e326042a99756d5a810aaa91765bd660a8aee4e792c3a1e4d1c8742829c83b

  • SHA512

    0ecd91a36dc302c58398a86901ee33826f8a4dee8c99356d68dd9622840bd3979bae11ab92bab25327f0498b029a15adf7c1ac4586545ea52f707697a4a59338

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    penny@mbalikova.com
  • Password:
    Gc7BuDF8@F

Targets

    • Target

      PO210322114527_HURMET CIKOLATA SEKERLEME GIDA SAN TIC LTD STI.exe

    • Size

      276KB

    • MD5

      ea1a31948e07ee79361c9bc1ee8b176d

    • SHA1

      ea8c3f08a9a72e7794c30464154ea3a32eec6511

    • SHA256

      29e326042a99756d5a810aaa91765bd660a8aee4e792c3a1e4d1c8742829c83b

    • SHA512

      0ecd91a36dc302c58398a86901ee33826f8a4dee8c99356d68dd9622840bd3979bae11ab92bab25327f0498b029a15adf7c1ac4586545ea52f707697a4a59338

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Collection

Data from Local System

2
T1005

Tasks