1FINAL_REVISED_INVOICE_AND_PACKING_LIST_FOR_SHIPMENT_Email_no._M1053_dd._July_20__2021.exe

General
Target

1FINAL_REVISED_INVOICE_AND_PACKING_LIST_FOR_SHIPMENT_Email_no._M1053_dd._July_20__2021.exe

Size

908KB

Sample

210722-w3jkpaldyx

Score
10 /10
MD5

144141ae2aa727bc13fd74745b7a1315

SHA1

05c9afef4033721637adb0e8ae5bfe2339eab9af

SHA256

39237253378c85888c0281afc0190177c88c3d648089782de5ae1cab7e67ecef

SHA512

52d64205719b12b881008a3aa9fc1a00835ea607f81e61b7a3b27526e4e10123439419512cb113ecfb9e4dcda32b4a703c14f536c55b285b1f6be5e67332d8f5

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: ftp

Host: ftp://universalinks.net/

Port: 21

Username: bring4@universalinks.net

Password: {lafa{u^wEx8

Targets
Target

1FINAL_REVISED_INVOICE_AND_PACKING_LIST_FOR_SHIPMENT_Email_no._M1053_dd._July_20__2021.exe

MD5

144141ae2aa727bc13fd74745b7a1315

Filesize

908KB

Score
10 /10
SHA1

05c9afef4033721637adb0e8ae5bfe2339eab9af

SHA256

39237253378c85888c0281afc0190177c88c3d648089782de5ae1cab7e67ecef

SHA512

52d64205719b12b881008a3aa9fc1a00835ea607f81e61b7a3b27526e4e10123439419512cb113ecfb9e4dcda32b4a703c14f536c55b285b1f6be5e67332d8f5

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • Contains code to disable Windows Defender

    Description

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • AgentTesla Payload

  • Drops file in Drivers directory

  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Tasks