a40a664137a3573248372810f32015f2e0e1f93d000bb8d45a455b5c1c8691d0

General
Target

a40a664137a3573248372810f32015f2e0e1f93d000bb8d45a455b5c1c8691d0

Size

335KB

Sample

220521-pt5mvsgac3

Score
10 /10
MD5

99f02941df7d879298f5234581717e45

SHA1

ef35ae182f86d7d279fc96486ceed006e593c915

SHA256

a40a664137a3573248372810f32015f2e0e1f93d000bb8d45a455b5c1c8691d0

SHA512

fc7ee58fa8d8678c0a5b86c4d3c7553facfddd97af61440729e9f3a3a048bfc6162b3237699fe7c0a521dee2d759b5c9477e2c5cb4d731525b7e3070780f1f8b

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: mail.itdone.cz

Port: 587

Username: testovaci@itdone.cz

Password: viObavejMa

Targets
Target

RFQ0392.exe

MD5

b3911724ce21ecfb5c68e35848a49ded

Filesize

389KB

Score
10/10
SHA1

5a598183755980fa9719ede513244099ee315462

SHA256

bb8e4fd77036e0c835a7362aa8288dc6d24a935917455d8c6dbdf28361ff725d

SHA512

1e41fe3de2a9ccacb8abb8c5c557e38ff186375b9d902b2992f248d77017dc56a930cfce3ad629f78349c5a9a3b9fc1c969051c376800972bd4b56108541911f

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • AgentTesla Payload

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses Microsoft Outlook profiles

    Tags

    TTPs

    Email Collection
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                Privilege Escalation