General

  • Target

    purchase order.exe

  • Size

    440KB

  • Sample

    211020-sylx4aabcn

  • MD5

    b57085c23e5029e538811623864d9373

  • SHA1

    cd89d4b32fad0b8fbbf3a266b6da6837f776dbd0

  • SHA256

    ffb871cdd407615d8113f1db5ecbf2e6fe02045e08d3d059d420e23f5f212a9d

  • SHA512

    5dcce01b20f8ab3dc2ab5570813926e368b2c585f0c5067c5ecf28a95984845f7c87b1adfd632a8ab4b2987973725ec1ba2ad5f80fbad03e530e5fe7a6b2b60a

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.supersigns.com.mx
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    icui4cu2@@

Targets

    • Target

      purchase order.exe

    • Size

      440KB

    • MD5

      b57085c23e5029e538811623864d9373

    • SHA1

      cd89d4b32fad0b8fbbf3a266b6da6837f776dbd0

    • SHA256

      ffb871cdd407615d8113f1db5ecbf2e6fe02045e08d3d059d420e23f5f212a9d

    • SHA512

      5dcce01b20f8ab3dc2ab5570813926e368b2c585f0c5067c5ecf28a95984845f7c87b1adfd632a8ab4b2987973725ec1ba2ad5f80fbad03e530e5fe7a6b2b60a

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks