General

  • Target

    fd22469fbe5ff6450360296416c5e0b89c0583bb1080b6ad64d476f8961942cc

  • Size

    444KB

  • Sample

    220521-mxqa8scfb7

  • MD5

    4ce017a28b428ff7fc7bd4bc59088112

  • SHA1

    2adefc8af0e90063fbc25a09d971c4793b6f0cf8

  • SHA256

    fd22469fbe5ff6450360296416c5e0b89c0583bb1080b6ad64d476f8961942cc

  • SHA512

    4915e96528037ff473a2620a60b3a180bd7cf622eecd03d130350ee3e2cf6ae1bd3b2f9ad400b9e08930517f2ed9881c4f5a5d42182924943bb1d90400d5f8d0

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.shrc-india.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Orders@9999

Targets

    • Target

      sam123.exe

    • Size

      694KB

    • MD5

      37d0f2c1177b55d247c8580a3f63c165

    • SHA1

      0cb64a604e5866ac223d28c769b34095d4abfda0

    • SHA256

      dbbaf0499e544e3832699110f71f62a521ec93cc8a74656c92af7023f554d897

    • SHA512

      fe06b99608f92c1c94e174d46a27303b2f29747152a02713e3cbebf5971e029eadeae3f3d23dcb57cc15b01bb7e9468d25579a64d5c19ea5d518d5469d33e707

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks