General

  • Target

    e349e9d4fd38c51f23ba9cb3d63cd483c25e1daeb91d0dc37fa35a00c83bf5dd

  • Size

    620KB

  • Sample

    220521-nqj2bahbcq

  • MD5

    930c9e47ea7edbbad27bf4d807955e6a

  • SHA1

    adf76678f3159a0313132d7e55d1e3b05d3d5249

  • SHA256

    e349e9d4fd38c51f23ba9cb3d63cd483c25e1daeb91d0dc37fa35a00c83bf5dd

  • SHA512

    0fb3e7844f85b5019c091714e50bc3f167e57cfe6452cc15b764d138785d45d5f0db793e50e504eb80b2e81eae39d88a324ce837fdb7cce15d1c69c07afa27a7

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    Smtp.yandex.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    shawama1000

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    Smtp.yandex.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    shawama1000

Targets

    • Target

      img-602105445-0004.exe

    • Size

      674KB

    • MD5

      eb1e050fb735091e55bd6c5c4c46989e

    • SHA1

      42139d4499987f728f2a34cc71aa3d1ba5cc242d

    • SHA256

      ae97f320b8367d49172cc3a96acd6bc765ba935ad5426d126f8fcc2b4a2fc094

    • SHA512

      63fb56f95c840cdd6df18672786f09beb826b66388ae3ac69c811cd060e0ccf51a076d1fda6650e5f687cfc748422800e94a57699b9976a77737089587d0f49b

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks