General

  • Target

    d766688082ec1664718094ea8688a36cbb4339c8e0bbb8bb683bfae6602cf4f9

  • Size

    461KB

  • Sample

    220521-mx6m8afgeq

  • MD5

    9cabf5f777a907f26e63764e6937c9dc

  • SHA1

    d1a3f6e058d8673cf4af3cf6727a125af3c19d34

  • SHA256

    d766688082ec1664718094ea8688a36cbb4339c8e0bbb8bb683bfae6602cf4f9

  • SHA512

    8a939529e621d1a429973c2bab20a6ce1404a90dd7f320095e0f3e9dfe6c429588dec64e5eada1e35e0c9c384c15e2b8fdc8cee1c04d1c4607aca26676a767cd

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.ikrrispharmanetwork.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Q5Ab{kp_p0?a

Targets

    • Target

      Swift Copy.exe

    • Size

      765KB

    • MD5

      6b1ed2f5d2b314b8d8af86266b8055ca

    • SHA1

      53c43c59bcc7456ea9857ee4a245b2341f5e4404

    • SHA256

      20d66ddece0fa3ebb5a0573a7290ce696468ab27b55b99c37889ba6b4dab89ab

    • SHA512

      c859de74b7d132ed28c2782aac67133ffdbef51f9df4a87064f41ea6f3cca40b455329b3f785b15ff145063df2af1614e61cdc093bad0cc9dec8005b5cd7edf5

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks