General

  • Target

    81c4583d4c7abfa86c5328a33ac5ae3eb97232544c1dc0e8a96c95cfcf67864f

  • Size

    697KB

  • Sample

    220415-ptvsnacdf2

  • MD5

    cbbf57e492af0887af6d6388bc1b0d55

  • SHA1

    2db73524c4c21714cef6cf38520bbee4199e8432

  • SHA256

    81c4583d4c7abfa86c5328a33ac5ae3eb97232544c1dc0e8a96c95cfcf67864f

  • SHA512

    ebf9a39b9e3986edc06872ae15f86441c54d8e8f34e8488235247b5b6075b8d79c7cea0beb30af87ba582bf02cec40c5ea96bf6e8e375ecc8e6d84cd4ac3f8b2

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    riches22@123456

Targets

    • Target

      81c4583d4c7abfa86c5328a33ac5ae3eb97232544c1dc0e8a96c95cfcf67864f

    • Size

      697KB

    • MD5

      cbbf57e492af0887af6d6388bc1b0d55

    • SHA1

      2db73524c4c21714cef6cf38520bbee4199e8432

    • SHA256

      81c4583d4c7abfa86c5328a33ac5ae3eb97232544c1dc0e8a96c95cfcf67864f

    • SHA512

      ebf9a39b9e3986edc06872ae15f86441c54d8e8f34e8488235247b5b6075b8d79c7cea0beb30af87ba582bf02cec40c5ea96bf6e8e375ecc8e6d84cd4ac3f8b2

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Meta Stealer Stealer

      Meta Stealer steals passwords stored in browsers, written in C++.

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks