General

  • Target

    823b3fc9bffb074b433166e3d498b751bbdf59c1e08647cf4ed2f179af468743

  • Size

    2.4MB

  • Sample

    220521-pv285abcej

  • MD5

    70e21923c5890a492c200463f85696a8

  • SHA1

    e4dee775c2d5d6751670bb566de0e1d512692439

  • SHA256

    823b3fc9bffb074b433166e3d498b751bbdf59c1e08647cf4ed2f179af468743

  • SHA512

    8eb869a43e5ae5c39dc3f2aa0c329eb46d8f1641b88bbb44e3564e28be7522443c317715ed09f01162b7200ffbf85de0db273530ca42ccc33e0333d016d9c5d1

Malware Config

Targets

    • Target

      Veladecor_order1000000000_img.exe

    • Size

      2.3MB

    • MD5

      bf843f563de7b1d842993131a9710ae7

    • SHA1

      3501e6159b8cbfdf0b80fcc8dee952afb79e1ba0

    • SHA256

      aa1cbc4490796352b22e093125284877d57399696b722829f6b1056aa14c2eff

    • SHA512

      caebf5ada247c8eeea509aaf358c8f17a52a2bbe15389beb6f218211cc72e503e51c7d53dae39fae2dddfd8bac9b57aaa042cf19d6152f78ebea25985f59eaff

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks