General

  • Target

    7ca0541b.exe

  • Size

    783KB

  • Sample

    211023-j1bepscbg4

  • MD5

    c76f187107bee1ce2df352b05e630356

  • SHA1

    2c4e9462828e90573965ea02efc1b22d4020cbe8

  • SHA256

    7ca0541b2df62e8b9e2b7b81f0c151f93a9c630d3c31252856932a4a824d3100

  • SHA512

    47db99c394dcf9ebd29d5e9058ef34e40bd09163de4473231aad48f3e6326954a8f11442d482e23c89e731bdfd3974f0aad17e3aaacbaca77730997f27851d3a

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.electronmash.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Zanzibar2018

Targets

    • Target

      7ca0541b.exe

    • Size

      783KB

    • MD5

      c76f187107bee1ce2df352b05e630356

    • SHA1

      2c4e9462828e90573965ea02efc1b22d4020cbe8

    • SHA256

      7ca0541b2df62e8b9e2b7b81f0c151f93a9c630d3c31252856932a4a824d3100

    • SHA512

      47db99c394dcf9ebd29d5e9058ef34e40bd09163de4473231aad48f3e6326954a8f11442d482e23c89e731bdfd3974f0aad17e3aaacbaca77730997f27851d3a

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks