General

  • Target

    Payment $67,830.00.zip

  • Size

    534KB

  • Sample

    210722-2r586mgkta

  • MD5

    0c46aa1aef86e22db670991465705b84

  • SHA1

    3a9469c9c13ccce9ad650c40604efe93da498f1c

  • SHA256

    9932ebe09d500e0eb67ac036c5917b4ec748171e3063e17735ee27566ff19639

  • SHA512

    cc997714af92b86c030d70e7950132cc86e83e0568a838652067e2d5fcdd18c080bd1e5d1c14598646280e5fe5e862dfd42c9c20a6a9b279f7ff009faced9f5d

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.vivaldi.net
  • Port:
    587
  • Username:
    billions101@vivaldi.net
  • Password:
    Great#@#$12909()*&^

Targets

    • Target

      Payment $67,830.00.exe

    • Size

      690KB

    • MD5

      df77aaa6e3e3aa36d253ef893063452f

    • SHA1

      db0f0750d0bbe620db17a719f74c06746a2e05de

    • SHA256

      0e50b895ed10c7cc4ecab501bf363451c24b654e3c3da3ef889a6bd13856bd12

    • SHA512

      1d31dd3e1bb6cc0b2f7b50d592084083fcf4eee05665589216669eb777ae7470f91d0839ae2caba82f84f727ea2218e7860899f1f8023c80e12c7acccbd81106

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Tasks