General

  • Target

    c3e4ef601f74d417fc6eb43f476a53e99c61f78b3890205b9d51ca9896eea229

  • Size

    352KB

  • Sample

    220521-n1bgxshefn

  • MD5

    2525beb5c8adfa8d81efd475963d5c66

  • SHA1

    f267beef8064d09ce8aaa42b2c3157be02238036

  • SHA256

    c3e4ef601f74d417fc6eb43f476a53e99c61f78b3890205b9d51ca9896eea229

  • SHA512

    81d899712067a8a2734812d92ff0ff00075e61efa294ec20193798d108467894a6ea152270764d0e3dcf6543a9255c268812906f20b4fa3ef5297c0b7ef7f334

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Dmacdavid

Targets

    • Target

      Our Comapny Profile.exe

    • Size

      511KB

    • MD5

      dffe94f322f08bfa232ec74132bba4dc

    • SHA1

      295f6e2d6ba25039dc7e060f58cca62e76a3cea9

    • SHA256

      c7b49d64f3d9a7201d376c1c85085e8aed8b2911e0a7049047a6e8df62e0d70b

    • SHA512

      96c86b0a473cccf48b8efa032331573a9fa948b09227f8f0902da8b11b761cd36021b524fd569f26cfcac1fa7b6f04e8df9e09ab440d3339205982c5e5af6939

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Tasks