General

  • Target

    f5ba380953345439bbdfb42f63f8965dbbf991e41213d7ad3ceb4e23ef78ecab

  • Size

    510KB

  • Sample

    220521-m4mtpadac6

  • MD5

    915e7100f86357266c2b37db1ce77e4f

  • SHA1

    c34c162becbb6cee7e93a45d2e595e435247036f

  • SHA256

    f5ba380953345439bbdfb42f63f8965dbbf991e41213d7ad3ceb4e23ef78ecab

  • SHA512

    bf6172c685631f94947234d2394a11f15d7142b4cdb010721168e407dcea2ccc21278585eefcce6806854b3394346ae8b6560a29c8ca0047b69d7b3b482db58d

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.acroative.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    onegod5050()

Targets

    • Target

      Purchase_Order_111982111.exe

    • Size

      819KB

    • MD5

      070dc07c464b01a1f7bb9b3561ab5df1

    • SHA1

      5f5305e1fdc2e675adb13cb83bd231cf93019e1c

    • SHA256

      2fcc3c49cbacd359f308ab59cbafdec24f95d4b638bf9c2fd5dd466379dac3aa

    • SHA512

      3c154b94d7129f19ef2f87ff9180649658fee56e7652c2cbf455db8ac5fe4cad8c96746e44bc8a846e4233b7bffdd2a78db8b546820ecd4ceaee5c5cb8f0c1cd

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks