General

  • Target

    c5918508f1e4174bf84c1553187cf08bac22d7358b91ab2bf39b8dda27a98154

  • Size

    650KB

  • Sample

    220415-kqgpeaeben

  • MD5

    0846e2ec8c618ce82d0b5afe3d1d4bdc

  • SHA1

    f62b82177f25af6d0dabd0bd8c2820270651ca79

  • SHA256

    c5918508f1e4174bf84c1553187cf08bac22d7358b91ab2bf39b8dda27a98154

  • SHA512

    1b53b80a2a6fbf582e8ba6ee22a6b4b5900dae3143adf4ccc47ffb41ff75af0fb46eaef58ad6836c0844f39b923d92e0d549db8fc5f83f198a7c29034606a163

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.theislandshipping.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ship666

Targets

    • Target

      c5918508f1e4174bf84c1553187cf08bac22d7358b91ab2bf39b8dda27a98154

    • Size

      650KB

    • MD5

      0846e2ec8c618ce82d0b5afe3d1d4bdc

    • SHA1

      f62b82177f25af6d0dabd0bd8c2820270651ca79

    • SHA256

      c5918508f1e4174bf84c1553187cf08bac22d7358b91ab2bf39b8dda27a98154

    • SHA512

      1b53b80a2a6fbf582e8ba6ee22a6b4b5900dae3143adf4ccc47ffb41ff75af0fb46eaef58ad6836c0844f39b923d92e0d549db8fc5f83f198a7c29034606a163

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Meta Stealer Stealer

      Meta Stealer steals passwords stored in browsers, written in C++.

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks