General

  • Target

    MV MINSCO TBN - Ship particulars.cab

  • Size

    299KB

  • Sample

    211019-l1mh3sffb5

  • MD5

    3c33332bd4a5e2a589d6754e2b1c366c

  • SHA1

    c6ee09f377e204e9880d4a667844a06bad2a2381

  • SHA256

    59535feb60c6037d2928d6eac6967ea35c4708e23de5a02f077d5ee0ce6004d3

  • SHA512

    54c59c0ba00c9503efc739fef464494130ce8105ca6ff809c7cd08a3f2f78f0b7cf28258ae796590b5c9a1c4aef1754279e7fa99a654fd3a7263684ede9116a8

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.penavico--cz.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Fq$L%J((!6

Targets

    • Target

      MV MINSCO TBN - Ship particulars.exe

    • Size

      770KB

    • MD5

      545eaa55c962df648708bb0bb01bcb28

    • SHA1

      39e0c699f9bd668dc65561aef01451deeb41b073

    • SHA256

      138e666baba119aed949d7064ded4f2ddafaa85e95b09bbd5c4ed7d2b77ac9ef

    • SHA512

      4892171284b009dc58a0ea5a781006e52c1dc729e924f386749336b9e56880ecdf6f67e43bee9c8f26b345cfcaab4b53305cd78f33a04d1b3d6016db4a2684cb

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks