Copia de pago jpg.exe

General
Target

Copia de pago jpg.exe

Size

1MB

Sample

210727-mrxdtk29hj

Score
10 /10
MD5

38e13fcd219f49d7cca9c8be57ac6ef0

SHA1

637a26e5e069a3262511666304aa07fb3c8cba00

SHA256

0ed4dcb3b64eb9b43a02b433a6232b64196bf369c3b2c50ce5342c8e9f4fdcd3

SHA512

e046dd4a80d171dff6e33e2eb48425a85f42361d597549b75968ee11a9a076367ef8228958ef259d3a90dc44f40159cfe73f9778c70d5d933d2e5b55b589074e

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: mail.palletsolutions.ca

Port: 587

Username: eloglogs@palletsolutions.ca

Password: h~Q+QV.(M2?!

Targets
Target

Copia de pago jpg.exe

MD5

38e13fcd219f49d7cca9c8be57ac6ef0

Filesize

1MB

Score
10 /10
SHA1

637a26e5e069a3262511666304aa07fb3c8cba00

SHA256

0ed4dcb3b64eb9b43a02b433a6232b64196bf369c3b2c50ce5342c8e9f4fdcd3

SHA512

e046dd4a80d171dff6e33e2eb48425a85f42361d597549b75968ee11a9a076367ef8228958ef259d3a90dc44f40159cfe73f9778c70d5d933d2e5b55b589074e

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • AgentTesla Payload

  • Looks for VirtualBox Guest Additions in registry

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Looks for VMWare Tools registry key

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Maps connected drives based on registry

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Persistence
              Privilege Escalation