General

  • Target

    f9bef5e8759c927c71b53da0187db4c7ffe0c2f30f48544dff43a37e968d386a

  • Size

    470KB

  • Sample

    220521-mxrjascfc3

  • MD5

    23fc03fcf4569652082e880f955ca692

  • SHA1

    83a82a6a3dd8674f76547d63ccbd9291e684f161

  • SHA256

    f9bef5e8759c927c71b53da0187db4c7ffe0c2f30f48544dff43a37e968d386a

  • SHA512

    a8d699fe55102db39dacca37568831c2b0ad8d11c7744989a972328206b3a964394977e882a030ee84323b7a8e06d505d0651e04a7f59dd00befc4f34be70613

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    aboyo54

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    aboyo54

Targets

    • Target

      New Order_75869.exe

    • Size

      804KB

    • MD5

      402706f192df69d4bda8db49425a510f

    • SHA1

      05ed390c67b8fb9df6dd27ed58823fbc4b09cba2

    • SHA256

      04428691034f3f528edcfb3a87d8edb1ea37d2cba338657e29ebc857c2fa5a6b

    • SHA512

      65cb241dd4d6cd3608a496034bde076e35a3e1b22322c7735c9949a1aaffc9060b51132cc92835f1916cde02790fd24401a36438422ca988d53b7d6ae6d9afbe

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks