General

  • Target

    ab0ad177c9ec0aa4d3b0c7a16395d5d793ff997c390725f2a6e4a84a95302b39

  • Size

    468KB

  • Sample

    220521-myjj3sfggj

  • MD5

    5d6c731863077b98baf7136d249a1a96

  • SHA1

    9298d40739e6d654e96a63c84c15706034b5a069

  • SHA256

    ab0ad177c9ec0aa4d3b0c7a16395d5d793ff997c390725f2a6e4a84a95302b39

  • SHA512

    1b838fb210d5b69cb75223fcf5f575a75117b49ca74886034f6c66205f00e1355f50c3ff32b66c8f5d520a13d98bd91c606631714e3b73fdcee641b9facbbd4e

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.shrc-india.com
  • Port:
    587
  • Username:
    orders@shrc-india.com
  • Password:
    Orders@9999

Targets

    • Target

      sam334.exe

    • Size

      730KB

    • MD5

      09f3daddaec326433de907b3653d58e5

    • SHA1

      42886f9f361dc8aee4820d087dbbb865261b26ed

    • SHA256

      c04c4bb521cb18dc16fbacc4220c0f854bfadfdc0c016ec6fd868d52fe8c3e08

    • SHA512

      050fb5a6c3dbc0af923b29c16c11d3b65dfc57d3d53590ca324924b5bd66d2f666be65fd8ed72b7fcf2b3dbdf8732ed64c5e24dae3ac7c97c2414cec1f8c728c

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks