General

  • Target

    b3d345c8b3c9fbd8dd75dfe373beeca27c63aab4d3778ef6dc1e2167b89d6f80

  • Size

    271KB

  • Sample

    220521-n5xwqahghl

  • MD5

    ea0549838ca694514ba3d5222ebbafea

  • SHA1

    544f62060683807a459e8a9ad181410687e13833

  • SHA256

    b3d345c8b3c9fbd8dd75dfe373beeca27c63aab4d3778ef6dc1e2167b89d6f80

  • SHA512

    08bc30de96f17374bbbe46bb8f6e0bf6edcd9f2ea2ed662b749a34ad77a5b9f024a98aec06fb7fab9bf4cb04ac0d1c60c0a7cd758acba86fb9c776cdcd0a3c76

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.flood-protection.org
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    emmydon2424@

Targets

    • Target

      EMD2343.exe

    • Size

      648KB

    • MD5

      b73a5278882483017c5b3b40b2979e15

    • SHA1

      716441708ae9146c1f79681c7c83dd8b3ea197b6

    • SHA256

      e15aa7c26008b8fe0d0a18be659ac958c5012837bce4d30d39f82848e73e4444

    • SHA512

      9b444a177def9d7d8e4f3d88eac3cab25c42f0ca1a49e94c55030c3ebf8b3d6e9364a00d49ef94af79c649ee0c1e4701211d9d5a2a575d1db4a9c6d6b005c196

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks