General

  • Target

    c473f3e2-f8b1-4c8b-a4a2-08d9a90518c2cb60c4ba-ee01-47d6-0a62-164f80712c8e.eml.zip

  • Size

    786KB

  • Sample

    211202-hpw2lafea2

  • MD5

    d6e780ca394eb7b1f5fbdf4a1a8bab3c

  • SHA1

    1a54d087a7c6be4c81d6dbb56e88ddaad1acb7db

  • SHA256

    7a8732698f2f81274070a085caa2cb933cfd843437dfa5e23ec83e5c71c30b7c

  • SHA512

    1c8e8f609837cd5feb08742363685df2f5753964661e9a1839788034cb97ca358356b4b16d639cbca8bac2ee4f3823044285e040eec77e72453d7c428e35d02c

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.agenciaaros.com.py
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    icui4cu2@@

Targets

    • Target

      comprobante_79433161.pdf______________________________.exe

    • Size

      456KB

    • MD5

      01695780f415e0d1e9dc20c16dbb64d1

    • SHA1

      f44d0b77c9d88a1335f617f4f65d94e1036ef24b

    • SHA256

      d08be3f4b0e2532a51bb9fbf929d2d1e4ad9f3adae2c66ac70e4dfc3acc45aab

    • SHA512

      485b4dbc8c9e4750dfed944aecb93d5e5023efeb51872fe61a256e8aebbcab30bf753036feec7a0af18b48be8f7ce7b62f2b3fae7f95d4d793835d4212d065c8

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Registers COM server for autorun

    • AgentTesla Payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks