General

  • Target

    Doc-CS3.rar

  • Size

    516KB

  • Sample

    211014-fnbm6agahj

  • MD5

    056bf6e26a5642bfba7d4467d929eb92

  • SHA1

    963b34cef3e144d10643a935114e6e1645fd971b

  • SHA256

    16d82530ebe9491a76946b33ca441bf9f61bb5cc4404611746775a3157e7bd43

  • SHA512

    01ad2421cd17d1537a26e59b2bddc309da30d3abec6d2ac3af7302532b33c4b983bce0e1d710641da3badeaec629284b6a25651ffffe6c964ffec3c0e0dcd569

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.alraedsecurity.com
  • Port:
    587
  • Username:
    tauseef@alraedsecurity.com
  • Password:
    Alraed99pass@

Targets

    • Target

      Doc-CS3.exe

    • Size

      548KB

    • MD5

      c9fa29e6e303450e5c9890518d27ebfa

    • SHA1

      314d358046143e4d4dd88e3d7dc0db9e9b999947

    • SHA256

      be91eb148b36528adb2b49362c50a099cf0cfbf5f1d5bd18ce88751b3c779ae6

    • SHA512

      a634a6657ae92b28cbb6896c92cdaa5be866f12d5106523bb8363e290dbebfea0381cf08d1f7ec93a1d127ba551b2e80170383fee5f2a57bd3030e3da1aaedca

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks