General

  • Target

    960cb20824a37a302d5741fc9d62e89852a3b9fe33a70f08ef136cc60def4705

  • Size

    469KB

  • Sample

    220521-mypq4afggp

  • MD5

    3a0adc0009b659a108b8ddc3d7ea171c

  • SHA1

    02d39c45d304208eb55d19e3efc1bf920324f2d9

  • SHA256

    960cb20824a37a302d5741fc9d62e89852a3b9fe33a70f08ef136cc60def4705

  • SHA512

    5707403516d3452457793f944834152de2cc5c6e92d0cf70322526fb4ea40e9e3e364c8dea7ffe6eb7ad8e162789dc0d7fcea1a9cf12f2acedad70832bdfb010

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.cjcurrent.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    jHb^rbR5d#(U

Targets

    • Target

      30072020.pdf.exe

    • Size

      772KB

    • MD5

      13e7349fd6f9aaabb9a6f09c42a0740a

    • SHA1

      de355724a4a2f0f4a9abadd0112fbf48a71cbbe2

    • SHA256

      176962cff7fd1726db08ef313eae338fbadcdcac32db1ef02dbd24434d2b8b4c

    • SHA512

      f3a58cddd74e19be7af7027a6f489869b58dd7f252f76ffefa23c3240d1bab9bb730e0909d60b37447fee6c5cbc71f08302384251b30dd02cee6fcf596a08e67

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks