General

  • Target

    f1b3c6cfecb62010f8cd4cb100a760865d244ee9bdf92d849f2561d2cd36882b

  • Size

    268KB

  • Sample

    220121-2t1ecsbhb5

  • MD5

    0a5e9a75afeaf40c2ae3cbef91fe10af

  • SHA1

    475f086deb0d86a384852e03a46394f267326771

  • SHA256

    f1b3c6cfecb62010f8cd4cb100a760865d244ee9bdf92d849f2561d2cd36882b

  • SHA512

    b2f0a0f22092318b372f73d015c1fd2e7251c04f97c3bee292716de2c99d09fd1fa09f7688a793cebc6602fd13ec8bbd1ad8b4f658ee0c94c0caff61f5261e8b

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.zolvtek.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    susan1234

Targets

    • Target

      KINETRICS-INV AND CONTRACT OFFER_Pdf.js

    • Size

      618KB

    • MD5

      fc044ff2b1cbc1f3135d32f872feb918

    • SHA1

      cd27200ed74b3bf66450f5dbebe39e76b906c006

    • SHA256

      ab50b83463c8797644dbf07441650e06510b9d3aa70478e218dd0a1116c5001f

    • SHA512

      a64da0d189fb7ea4a821cb892736f0e88e22a56eabcb02439e89512378755110405c2f792f20c5357cde783286ad0b7660c2166a0cc1a513ba8c0d539783aa84

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • WSHRAT Payload

    • AgentTesla Payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks