General

  • Target

    6338cb73a1210d16efa560f54950824aa748cd5f71a119334ec3f321301f835b

  • Size

    453KB

  • Sample

    220521-my3mysfhaj

  • MD5

    017a7ab36fc79a9f27466366e495cf55

  • SHA1

    4590aaef5184f7ae05291515b42a314898aa1ccd

  • SHA256

    6338cb73a1210d16efa560f54950824aa748cd5f71a119334ec3f321301f835b

  • SHA512

    8027077362b56b45626d501daaa3ab5eb6f2b2a76c4de211fa42bc43369aa8fca35f63b1d60c7313a9b06b6ffc197ebf3289da3794915bf0185b58a378f7853b

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.ikrrispharmanetwork.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Q5Ab{kp_p0?a

Targets

    • Target

      Inquiry 500674 {ANSYS ENGINEERING PVT.LTD}.exe

    • Size

      732KB

    • MD5

      f988fdb69000424a89e909098c92e224

    • SHA1

      8d229a101ae821c01d5af3addb4063c98a39e279

    • SHA256

      d7834fcfcc6566637c03e6d09dfa4f8bd51ed085b6a7fc75b33d458947d2c997

    • SHA512

      212ff772be795700af034cf181c9e36330fe69addd14f097e6f44ddbd1e372e505a4cb7c4548c7162b3ac4a3ba061e9bdaa4b51b0d64211adff99147da1e4eec

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks