General

  • Target

    CARGO DECUMENT.rar

  • Size

    565KB

  • Sample

    210511-e1dt5jv98n

  • MD5

    4afd0f01c414edb99aee1e87c1884828

  • SHA1

    4a0018a89e943f4221b332f45c27cde2aa156aa4

  • SHA256

    e4345fe0a71bae9a36b053c1c040a94b010815e1528cbce9c6fa21bbcfb95c8a

  • SHA512

    dcaa27c9504c05ce7ccaca23f0a646728836eaa2eff1e665010eb125ade09bf0aba966febedf12a85729e8e497ea61425f839568c67b0495d6b350cbec762914

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.cometshippings.com
  • Port:
    587
  • Username:
    z@cometshippings.com
  • Password:
    FNoY9fig8&Cyw];Fpk

Targets

    • Target

      CARGO DECUMENT.exe

    • Size

      929KB

    • MD5

      43ecd98b39cc9ebfc3f85d0c69449373

    • SHA1

      419842c79a2c0a3ecc1e0137235d77a9b585949e

    • SHA256

      db59b7cbcd7ffd902553d10a3aceab64f2020a04f169e167e25d01a14125f5c5

    • SHA512

      35acec2737051bc816e894ca128cdf57b1a7272d19396b425923b61ce89792cf0d03ee0f565132a61c1936d5ac78c814fbebecf69a41ef34a8ba903da85375af

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

2
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Tasks