General

  • Target

    b5abda4bfe4a155cf62329e7b46e4bbe6e9c52476db77fbae7768890ece57646

  • Size

    250KB

  • Sample

    220521-m1r91afhfn

  • MD5

    9a08312459725f39441bb9420f804d4e

  • SHA1

    c8a2c338e9bbc57923f763e2edab1544de2baeb8

  • SHA256

    b5abda4bfe4a155cf62329e7b46e4bbe6e9c52476db77fbae7768890ece57646

  • SHA512

    90ff89e4fbd002d37b6435b683b9715d61e46003544f499176de3b293a514dd20be0166372e1348dce82e910c1b665d0d6d48abed2a221a19ae60c8cc184f37d

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.sman22sby.sch.id/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    lCbu4QNBjE

  • Protocol:
    ftp
  • Host:
    ftp://ftp.sman22sby.sch.id/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    lCbu4QNBjE

Targets

    • Target

      3678811123_PDF.exe

    • Size

      358KB

    • MD5

      bd0e4294b5dbd169ea5afb69bd1c8afb

    • SHA1

      a6690a46491639447f0e1f51542c8ba7b35b5259

    • SHA256

      a7b93c81adb5434f4bbb77f954f02dd01914c95d189deda48e3d456e03a5b92f

    • SHA512

      980991172aff9e41fd09371975bfa9b320cef3963a369492c6eb4f95a3392d30b1ff1dbe65e576fbee9f2b990846966d0839b36884d4abf863e68139487a790e

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks