General

  • Target

    cd6c0b0f67bee9e57089b02c1b8a83ea0d454d5eb3790b9aab0f002d63b0133f

  • Size

    1.2MB

  • Sample

    220521-n5mqrahgfq

  • MD5

    1a6cf4d8b537b162d65da8f536404494

  • SHA1

    1684843cd07696be5643dd3859442bf17a491564

  • SHA256

    cd6c0b0f67bee9e57089b02c1b8a83ea0d454d5eb3790b9aab0f002d63b0133f

  • SHA512

    0e8028f1d82ae20ad3e5a3951c9ad0f7bfa3745d4326e6cc69fa94ef13b77afbd78fcc2a99a864ec0472ac7467db426485d7307f3a5c37536f68b47cd7e7e6af

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.dogulumetal.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    DMaslak2950**

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.dogulumetal.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    DMaslak2950**

Targets

    • Target

      SKM20064.EXE

    • Size

      620KB

    • MD5

      bdb5b41a394905200a90edf2632d469c

    • SHA1

      9a5b37360aace8702a01877ded6a5bb7e0553996

    • SHA256

      d7d6711fecf46a82d89b1d0ccba6e4a3cf2e5016a24671abeda65f620b8006f0

    • SHA512

      ca3f710ad971e95210827790b4509613a3a83b4c987e3e45dc16ac8ae83d6bd1e3309ca4d9261cf9390031d72686dbb84e5effb9d34f8315b519b286908ed517

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks