General

  • Target

    Bank details.r15

  • Size

    430KB

  • Sample

    210915-h9fkcadbdm

  • MD5

    70f5025d205d5645a20334e99f5f48bb

  • SHA1

    82b5d7f470041f03b019a63a80bd5e9b0dad0474

  • SHA256

    d3d17d9db04951cc221555f715f36a94a885505b03bebe685b2387cba23941e5

  • SHA512

    aadd6b122839121df47bf67b920846454a6070ea1f2ace175b287de542f8674d0b2ed0b6c738fd25f0f6ee975f3f0fad20dc6700c651617b7929000a1e2cb981

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    uscentral50.myserverhosts.com
  • Port:
    587
  • Username:
    sales@radheatwaters.com
  • Password:
    waters@789

Targets

    • Target

      Bank details.exe

    • Size

      659KB

    • MD5

      32fd72c7e9a6cd0ff55fc8bff0e5f35b

    • SHA1

      551bde013f7293697603297cebc56f95c7ed4467

    • SHA256

      3074df21396eea8b2249995c040407d2d6edb3bbdc50ad46d706c44104f20817

    • SHA512

      4f2140f3855bae39f293fb3c1c260a869e19e8c9283c0f6ae011222588d581d9386326c38ff017d459e64237a7df4e2f674a49646903c84037faf20fd4ad2323

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Drops file in Drivers directory

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Tasks