General

  • Target

    Swife copy of payment.exe

  • Size

    512KB

  • Sample

    211021-p1r1cabbfk

  • MD5

    d63d0f4bdc8b3497aac76a2598c714e3

  • SHA1

    25694ab970b05b0018dc557ca9a2c82b31394fd5

  • SHA256

    2cb3f499c692ecb5c2833f84273954d7bf63bbd3ea3d43c8f5e46a1c57da30f8

  • SHA512

    510999ff7d723855e986e506776045eb70151c0d3713fec4d71e86f64c3413bb624df604a59ff6e7c9d4d12fd2be07e763d8af472e1d3335968661839737d39d

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    ken@kengrouco.xyz
  • Password:
    Everest10

Targets

    • Target

      Swife copy of payment.exe

    • Size

      512KB

    • MD5

      d63d0f4bdc8b3497aac76a2598c714e3

    • SHA1

      25694ab970b05b0018dc557ca9a2c82b31394fd5

    • SHA256

      2cb3f499c692ecb5c2833f84273954d7bf63bbd3ea3d43c8f5e46a1c57da30f8

    • SHA512

      510999ff7d723855e986e506776045eb70151c0d3713fec4d71e86f64c3413bb624df604a59ff6e7c9d4d12fd2be07e763d8af472e1d3335968661839737d39d

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Tasks