General

  • Target

    27fcab0d42fd182772b088b02fa0fb3cc52e7f30c9a8fee9756c2245d63f12bf

  • Size

    479KB

  • Sample

    220521-mzrxvafhbr

  • MD5

    5a828f6b893e69c85b9d485ad2385dd7

  • SHA1

    c259ceb45b1071f5ba3d0e549aeddf3a62aa3992

  • SHA256

    27fcab0d42fd182772b088b02fa0fb3cc52e7f30c9a8fee9756c2245d63f12bf

  • SHA512

    b3b7b5f151bc1a96f4901e5a81a5d5f08abe5550b00dad7942b23c838f62ed25be90934006b0c24d5e06893bf84cd7ab44777cc7d91e3c1eaec835b4720218b9

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.hk-gruop-sg.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    YERuFGp7

Targets

    • Target

      Revised PO# 453924.exe

    • Size

      775KB

    • MD5

      9943384ae07ee24b27111dcfa3ad3f28

    • SHA1

      d05c756801a33f30c8c8c54c2513590a7ae56e97

    • SHA256

      345f849a0cfc012229e71b4c53ff148b9cadaecd692f624f917e35dfed7f820b

    • SHA512

      6a1944d0807e2646a4909a16d0ab9fce1d4cc74a1d90e7485172600580a83157bed1941929808b2dbfabfa7e90007ea4624d61af406326682a3a1f9244863176

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks