General

  • Target

    de49b1e90182231c349cfb09bf631ecbbfd6752c6a83fca107e1b387ab042254

  • Size

    420KB

  • Sample

    220521-mx4hvscfd7

  • MD5

    59b915ec256efba862bc69d25a22dcb9

  • SHA1

    f4592120519703fa6bfa30347b0385c6880569da

  • SHA256

    de49b1e90182231c349cfb09bf631ecbbfd6752c6a83fca107e1b387ab042254

  • SHA512

    39ed4ad4d8b9bc48dd91dc45b2298159256913a5f15b00f0d8fee2b8a1cd0ff56854ff1541201bc78461f637479920e3649e6e50ee0ac6b1e755e63080a6b441

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.ableacn.com/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    vw9((q&;E}_L

  • Protocol:
    ftp
  • Host:
    ftp://ftp.ableacn.com/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    vw9((q&;E}_L

Targets

    • Target

      FOB machine Quotation.exe

    • Size

      668KB

    • MD5

      f2e9e25b319bf1fe6bcdd066fe726ea9

    • SHA1

      f4ef81cea6e14d2cad0c7a7f2c1348b6479ce313

    • SHA256

      30e37124f75673a8862b10320d1ba3716adc8993e255e96d40523aa9722162bb

    • SHA512

      2943c9b65bb2b5552d8ad49ccf37b17fc1cb0244a4647d5988977725c0494a5a04006d1658c4d46616e7a59a2f24c3022079e8b73fb4bbfa236135274b011c0a

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks