General

  • Target

    platby_.exe

  • Size

    24KB

  • Sample

    211021-ph16asacd4

  • MD5

    fc3e85a4c9f9f8a1c3b929dc6d28e943

  • SHA1

    21b6b3fdd0347c93cc0780bd48db33c9b71544bf

  • SHA256

    69958e42628bd4017cd0f1a8c1dfd6851b0257f02dea588d2d2f7c23a723b3da

  • SHA512

    5f1fe77fb00d7263b61050a009b715cbe9c9247f866783f594ec38f1903da049d7e4009e95d03eeff6e4ae172e734ebba79fb70eaa9945c7fb9377e4f712b998

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.fullmachinespa.cl
  • Port:
    587
  • Username:
    mcortes@fullmachinespa.cl
  • Password:
    marcor2018

Targets

    • Target

      platby_.exe

    • Size

      24KB

    • MD5

      fc3e85a4c9f9f8a1c3b929dc6d28e943

    • SHA1

      21b6b3fdd0347c93cc0780bd48db33c9b71544bf

    • SHA256

      69958e42628bd4017cd0f1a8c1dfd6851b0257f02dea588d2d2f7c23a723b3da

    • SHA512

      5f1fe77fb00d7263b61050a009b715cbe9c9247f866783f594ec38f1903da049d7e4009e95d03eeff6e4ae172e734ebba79fb70eaa9945c7fb9377e4f712b998

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Tasks