General

  • Target

    6b0fe1f4cfb10e06abc3603956fcf0953de6e4ab63a034665d449b4f880366ef

  • Size

    325KB

  • Sample

    220521-n6qtsshhcm

  • MD5

    3668fc5c56b2a376e8cefb0171ea15e2

  • SHA1

    72b02f669454dffe97723340b19d020c1aaf19e9

  • SHA256

    6b0fe1f4cfb10e06abc3603956fcf0953de6e4ab63a034665d449b4f880366ef

  • SHA512

    e1d64b6280e25b795182b20586234c20861531500cf7f07ea916fec0908861b9997f6f7f7430b0524250d5999e51efffe1df53f329e4ab9bb10bdd99851f56e4

Malware Config

Targets

    • Target

      Purchase Order - 8279018110.exe

    • Size

      368KB

    • MD5

      ce16e76c031c756a7580719e65e0ff63

    • SHA1

      cde97cb49d940071dc5b5d0cb4af0e59ce2a830c

    • SHA256

      09d051ae9f992668f4b86a538c3483174f491cd16b18ca1e6799eaf1506e4a87

    • SHA512

      ddd5c2241e07b4d1610d13312e118d0b7558fbf38dc0b4a828f773b4de2ea85a36805940193fe28b3405bdfdc33546f949716471e81c1d737afffec93bd21b7d

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks