General

  • Target

    c47b2c9da733c77dde69544c8a58d174e8bae30add1fe4c0678cf1a42cd1f1a0

  • Size

    488KB

  • Sample

    220521-mycrjacfe9

  • MD5

    6cc470067d611b6cfc4c7dfc9f362e70

  • SHA1

    36eb3e9da15034f265cc38c5d577fb1806604c5f

  • SHA256

    c47b2c9da733c77dde69544c8a58d174e8bae30add1fe4c0678cf1a42cd1f1a0

  • SHA512

    69060f252ead005860a69f77dc034678c0341ab9d19ccf180414eb0292fd6fe8b67f064b498cf8ecf58a6b75baef6800cc8a6550733e9a33e19778c0e917198d

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.flood-protection.org
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    kelex2424@

Targets

    • Target

      WB 20200813020804.exe

    • Size

      794KB

    • MD5

      97058b5b713fce6d98933758debac2bd

    • SHA1

      aa1ef1ee348186489d9b6fc825d02aea5bc2abe8

    • SHA256

      bcc8c0f61a1dfdfd76ebe02523c3eef4362cb7fb3413b24a7632a2262219a589

    • SHA512

      842c4aa42314c28e9400ab1efc4c7ce22e48e1144dc0885b54908f38520b30e946fdadd8f3c9c7bf79fa48dc47ac6c6e1d4f8dca2f254c240c9d3267ca55f7ea

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks