General

  • Target

    6d123955f4e88f7aa0e4466d063033f054f28714a53229c77e18d5cfaee44792

  • Size

    433KB

  • Sample

    220521-pknb8aafgn

  • MD5

    2dc214ccf4770c4b2615dab34067c52a

  • SHA1

    3ba9e3fec582010c454ddd7f5c2f92fe3c9c56b0

  • SHA256

    6d123955f4e88f7aa0e4466d063033f054f28714a53229c77e18d5cfaee44792

  • SHA512

    08b53bca8aecc6d70b5178121fdd7b604186f39bf29d2316e7c2acb863112b4ae146e05267dc995e57d181a8329308725593f8c22647a591bdddec9ec358be7d

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gfaqrochem.com
  • Port:
    587
  • Username:
    turkey@gfaqrochem.com
  • Password:
    k@rCFBF4

Targets

    • Target

      CT_Y039581726.exe

    • Size

      509KB

    • MD5

      120d7f3a1d90817bae339b50b40d17d3

    • SHA1

      79ce12a56cda10d463fc45926eeb216c133d9702

    • SHA256

      48a8412a53603f0802d074c01c6792940732155c95b38b168d37965ecadba031

    • SHA512

      dc60c97026a63cd77ab241a8cb63ac1875ba1af6fe76aa1f30dc3fe6d04c3c0bd1ff6ae3d4f5b096540a76b7bb6e826f91242fab5c68836822aea9b63f6e173a

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    • AgentTesla Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks