General

  • Target

    0f9b8d8ae8d005c9ae9258981a54caf8652d0287cf4061993caafc90414849eb

  • Size

    441KB

  • Sample

    220520-2nvxpafff7

  • MD5

    7b347b8ba2c4090d6538bf10f24f1310

  • SHA1

    16f0cf77f67721d24673bab65fc7c3064a284e16

  • SHA256

    0f9b8d8ae8d005c9ae9258981a54caf8652d0287cf4061993caafc90414849eb

  • SHA512

    72751a66a4e27c915df832071d7c9f27a9b998e289d004afa60d01b0fd23a62e7ff25d125b54642f400e23c5eb96b95c480101a7fa29f7cf8885affdb08351e3

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    bigboy5570@@@@

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    bigboy5570@@@@

Targets

    • Target

      SKM_C3350191107102300.exe

    • Size

      551KB

    • MD5

      158dd75ecfc180976e54fad0b80d0d56

    • SHA1

      0f57c8303f27a51be62a468ea625830b293f93b9

    • SHA256

      0687d57f87a19e9860bc0f991a91ea9af31f8625dd15d191f4fac7e73520b49b

    • SHA512

      63930b1abb98a7efefca9661f7a1fa96fbfb8f00b876973ad2d4408073a3d0f58ba6773c64542ec24be809c252454af1b03aa4decdde09b2bcec47b2374e2d0d

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks