General

  • Target

    tegenesla.zip

  • Size

    583KB

  • Sample

    210504-9vg39s7yrx

  • MD5

    89fa08970270740759e662a28e2d127c

  • SHA1

    5fae5521f7cba9953a7f0414453f3b1c7cc236e7

  • SHA256

    cd907739132c3527d46eaf498e62f1e3a23ad1d1c173bd50f6f5deed99512046

  • SHA512

    8980a55578dfcbdefd97c384c736a00e4b825b48ae4803626be60884576aa4aab7d51f297c30f66f96bd44ce94dbfb232bee65f8575e9cb5f89fe1a0832ceb81

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.iruberritechnologies.com
  • Port:
    587
  • Username:
    calidad1@iruberritechnologies.com
  • Password:
    Vpx7s4QHfJx7

Targets

    • Target

      36c42944400bdcde3e3406f10e44f934f7ff7eefb0d4c81ebb44a1fa8ee560de.bin

    • Size

      862KB

    • MD5

      fa27a040b4f42011d1ff8b89e10a8590

    • SHA1

      36a4a67f882bcdb11e52f32fbfd6168e5806dc6c

    • SHA256

      36c42944400bdcde3e3406f10e44f934f7ff7eefb0d4c81ebb44a1fa8ee560de

    • SHA512

      659159acf48ccd8b2af61b8d4669805143a767079010cc2a87341023565590b84360274fec1505e578d8d750833dc94364fcaec10460145e053887d7f25f4d49

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Tasks