General

  • Target

    6c11886cb1dd5dec119ba707555dd0bbb5705c97e60221a4108141f796ed4b7d

  • Size

    463KB

  • Sample

    220521-myzw3acfh6

  • MD5

    81541448dce4dd4077e5d6bdb52a6a7d

  • SHA1

    84d91668b34be38942287b1f3d3d0f32db5c8236

  • SHA256

    6c11886cb1dd5dec119ba707555dd0bbb5705c97e60221a4108141f796ed4b7d

  • SHA512

    afff5c2785c0b4bc1cb67d36b3e339039a7211ef10249ab6a5e9a1e6a45cdc6191b048d140879a3c4a4fadbdf01ffa3b0d47f7eb1af45a866f08a6d2b2ac591f

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    chuk5anderson@yandex.ru
  • Password:
    chukwudi123

Targets

    • Target

      Payment Proof.exe

    • Size

      806KB

    • MD5

      6c8f01372803ed1b13e8e03bc764b84f

    • SHA1

      2851549bed6bab05ddd74c2ae97e7324b2df8e31

    • SHA256

      c482ca787afb6b9f12e79b80f791494338b6a353950c12e57df5b1411a1ccd50

    • SHA512

      fae08dac1a2f78177fd274954e00f57b6e16b869a8ed8fe1d8d61c7fd01c875dff44df69493dffb59c9f6ab25ac39b7a2ce12ddea7602444c149a7c475c6a487

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks