General

  • Target

    4854ed4de224321bd425305d4d54bfd97850e5aceb45956a4ded4e800bb67333

  • Size

    521KB

  • Sample

    220521-n8v7asegh6

  • MD5

    620cc8bfdae12de03f096f63db4e4f96

  • SHA1

    3651486d23dca237e91949afb44ddbab21acbb20

  • SHA256

    4854ed4de224321bd425305d4d54bfd97850e5aceb45956a4ded4e800bb67333

  • SHA512

    01ed15ac1abe033068ef333448d25d73c60bebef8204d316ef82defdb4d92fd184dfee7d34e42ff823110c96c99f0d9907eb1c866ab1518737e962d1c887a8f9

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    kingmoney12345

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    kingmoney12345

Targets

    • Target

      payment copy.pdf.exe

    • Size

      673KB

    • MD5

      a3de29f96c57deabbdb90fa21f3b5290

    • SHA1

      2b1d500c2064d163a250ec090f5d4d890a58ac9a

    • SHA256

      9f124b201243a16323689f45e0faacac2ed9f77f748b0b69045fea2c3acfaa72

    • SHA512

      84d7cc62c0478cdd6a89c9d0e17faeb8e1d2c1963d4ea358b3a1dcf48c6508c11d7623dd920a03a261a9dd33da7beb5839004ba2431dbfa4e593a41302ce6572

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks