General

  • Target

    Payment slip.exe

  • Size

    428KB

  • Sample

    211020-m6vbjshhap

  • MD5

    d85599a4afd0e04420fcaea0e7873608

  • SHA1

    9f6a9f1ebae2a0668b9e25cd58beaaff31d33def

  • SHA256

    28d5e6cd0519719ea136a6227cb4a5d598bf3bef2d317c0edc64bc059feaa3d3

  • SHA512

    71f6aa47ca46d89e9a1187205eeb6cc29d9bc835b7058462889548aeab4c944aac1dc7561237b5f3add1ac1260aae7654ff83115cb51690d7e823c3c3470f3bc

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Everest10

Targets

    • Target

      Payment slip.exe

    • Size

      428KB

    • MD5

      d85599a4afd0e04420fcaea0e7873608

    • SHA1

      9f6a9f1ebae2a0668b9e25cd58beaaff31d33def

    • SHA256

      28d5e6cd0519719ea136a6227cb4a5d598bf3bef2d317c0edc64bc059feaa3d3

    • SHA512

      71f6aa47ca46d89e9a1187205eeb6cc29d9bc835b7058462889548aeab4c944aac1dc7561237b5f3add1ac1260aae7654ff83115cb51690d7e823c3c3470f3bc

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Tasks