General

  • Target

    Cotizacion.pdf.exe

  • Size

    634KB

  • Sample

    210511-f44db7wtmj

  • MD5

    27670c0af516c2f4cdec93153531413f

  • SHA1

    d9e7784f9bbac76894096ad7ffc1100dd4e00c05

  • SHA256

    db2df52c06b039021ffb4cbbda480c7bc071cacc2d31348ef719025efd48587a

  • SHA512

    d4786154bad55330ceaa24b3999f4a20ace5b064034661bc0e37bb224fca6ea77dc6699ecc41cd5ac985cbd336a497ac3003a3fc57960f88a0711501d455ecf9

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.prisamexico.net
  • Port:
    587
  • Username:
    security@prisamexico.net
  • Password:
    Opy44Yi.e65y

Targets

    • Target

      Cotizacion.pdf.exe

    • Size

      634KB

    • MD5

      27670c0af516c2f4cdec93153531413f

    • SHA1

      d9e7784f9bbac76894096ad7ffc1100dd4e00c05

    • SHA256

      db2df52c06b039021ffb4cbbda480c7bc071cacc2d31348ef719025efd48587a

    • SHA512

      d4786154bad55330ceaa24b3999f4a20ace5b064034661bc0e37bb224fca6ea77dc6699ecc41cd5ac985cbd336a497ac3003a3fc57960f88a0711501d455ecf9

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Tasks