General

  • Target

    RFQ#-Airbus AS365-EC155.exe

  • Size

    850KB

  • Sample

    210727-gmq7x6ga72

  • MD5

    59b10a4ae08a82cceaf918848c40a8f5

  • SHA1

    acf4e109eba29bc8ad37a4db9337ac9a30f74e68

  • SHA256

    bf12c7cd5b7991644a86d6ab104040e6f51581d275a3f9e7f9b60e9931a204e8

  • SHA512

    3540ee55be7e74d803c7095882e98e44af5bdd4eec6690bb6476e3d7e0495afe4d19e5352823d57a7915c43b7b6fce44f3af38b7918d1f8993a357d4d712e151

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.sempreviva.pet
  • Port:
    587
  • Username:
    dataoffice1@sempreviva.pet
  • Password:
    ACYPFpe9

Targets

    • Target

      RFQ#-Airbus AS365-EC155.exe

    • Size

      850KB

    • MD5

      59b10a4ae08a82cceaf918848c40a8f5

    • SHA1

      acf4e109eba29bc8ad37a4db9337ac9a30f74e68

    • SHA256

      bf12c7cd5b7991644a86d6ab104040e6f51581d275a3f9e7f9b60e9931a204e8

    • SHA512

      3540ee55be7e74d803c7095882e98e44af5bdd4eec6690bb6476e3d7e0495afe4d19e5352823d57a7915c43b7b6fce44f3af38b7918d1f8993a357d4d712e151

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Tasks