General

  • Target

    Pago Transferencia.pdf.exe

  • Size

    489KB

  • Sample

    211125-tjhgssffhl

  • MD5

    02bf0fc6d6fdc5aa692f136da966b62c

  • SHA1

    7ab36a1ea547408e9254428887b3a41a83e2c849

  • SHA256

    49121cf42d9ee0f820e76416c3bd0ea7f69036fde442ca8ad2a69737c50ac97e

  • SHA512

    2984aa3dbfbba599e3972831646f58015230268cd5ad2a468e0194804ab5132219a256efbfddfd2d3ee78b29b4dad0b8b67b79ec38bfba9919b3941e0dd4cd23

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.bhgautopartes.com
  • Port:
    587
  • Username:
    ugo@bhgautopartes.com
  • Password:
    icui4cu2@@

Targets

    • Target

      Pago Transferencia.pdf.exe

    • Size

      489KB

    • MD5

      02bf0fc6d6fdc5aa692f136da966b62c

    • SHA1

      7ab36a1ea547408e9254428887b3a41a83e2c849

    • SHA256

      49121cf42d9ee0f820e76416c3bd0ea7f69036fde442ca8ad2a69737c50ac97e

    • SHA512

      2984aa3dbfbba599e3972831646f58015230268cd5ad2a468e0194804ab5132219a256efbfddfd2d3ee78b29b4dad0b8b67b79ec38bfba9919b3941e0dd4cd23

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Tasks