General

  • Target

    Product Inquire List.doc.7z

  • Size

    391KB

  • Sample

    211020-tczshahcd4

  • MD5

    30698b5ec08b5fbba3e2cc221b28514a

  • SHA1

    8a9b9bd58df14e670dda79a958b479ac70e39bc7

  • SHA256

    8e1d55739d99a55b72697d59395db4835a0e6423fdc93647c881d6573bc04bbe

  • SHA512

    250284d522f7e2e5d5830efd7d9e4bf7c72a409f5d3f406c7e1f3b6fe35f132d5b207d33fe9bbd1e16aa45a10a6f2176600d66e773606b60f202651a656950fa

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.ecurs.ro/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    t&,QuY0fJi5R

Targets

    • Target

      Product Inquire List.doc.exe

    • Size

      440KB

    • MD5

      05270120d0e5f9d72a2809c6bf5180b0

    • SHA1

      ba724979e7f6f46ac33e096180ad531c1a37e9ca

    • SHA256

      0a2521fb76fe94f9c8dff781b757fde0eabebb9abcc5038a6e2bc1a0fa17458e

    • SHA512

      647e209489afcf38c81ad61060c5e70e4a6d0d5aa6a2a4941cbbbf1980cb4252fdb5a180f39a5b8556d4e9974350e56f47dd9db4db74d81bb84e992c9d56fc1f

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks