General

  • Target

    e64b588cd1cc19f9d30a3baf819ef6ec564c2920f358a502464d0205b1acf2fd

  • Size

    465KB

  • Sample

    220521-mxyydafgdq

  • MD5

    862f546ac35ba5c3e69d6e61e0189102

  • SHA1

    43d61ecf32bf0492dfa24746b1d6af8b8252a8c8

  • SHA256

    e64b588cd1cc19f9d30a3baf819ef6ec564c2920f358a502464d0205b1acf2fd

  • SHA512

    4892142308d321b560ccdf1a10a326917fba4469cce0cb73a75600710ad51cf1359f779b5e111667510bd7addaf99b647c272749808ed175c8b0ff05d91758c6

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.totallyanonymous.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    506g239R

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.totallyanonymous.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    506g239R

Targets

    • Target

      cheque deposit slip, BDT Amount 70,000.exe

    • Size

      719KB

    • MD5

      d207440e1ddcfd07dd367716b4352ad8

    • SHA1

      99c84cd904ecfc83d818ae91853b9b8135e6f447

    • SHA256

      fb2089862c97bb7765b51eda264b7338e5e32f71a70412926643a8991ce97c98

    • SHA512

      9ab4c5a48af1a2927416b8f6ceed6b0cd6071d2f135f7b04a155f2cb540734882dd6ca434b5667899a426d193e6c1b25bd45f1c10ed39379fa9edd1c76234327

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks