General

  • Target

    eStatement_300000H_0987TRF09_98354_2021.exe

  • Size

    419KB

  • Sample

    211020-pnw4jahhgm

  • MD5

    9ce919458a79d1ccba2bbb621b1c2b2d

  • SHA1

    dfb88137eab778105b818229f4931c1bb44a21dc

  • SHA256

    0f37309a0b1a40e1af9f9e2b193d919ea587aef09e6ce74477489340e6bc02a3

  • SHA512

    9190180caeb0e91c577c7f0afd08290d30b9442b4cd1c54573baec1efd85719542e274d3961671871aa0438f23441478489bda3f24c4e99bcd2a49e6324416d3

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.randebann.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    nZ(hZCp1

Targets

    • Target

      eStatement_300000H_0987TRF09_98354_2021.exe

    • Size

      419KB

    • MD5

      9ce919458a79d1ccba2bbb621b1c2b2d

    • SHA1

      dfb88137eab778105b818229f4931c1bb44a21dc

    • SHA256

      0f37309a0b1a40e1af9f9e2b193d919ea587aef09e6ce74477489340e6bc02a3

    • SHA512

      9190180caeb0e91c577c7f0afd08290d30b9442b4cd1c54573baec1efd85719542e274d3961671871aa0438f23441478489bda3f24c4e99bcd2a49e6324416d3

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks