511911c49fabf8c4744bfb6d9f3003d23583f3e153ed34ebff332d455beaa8a7

General
Target

511911c49fabf8c4744bfb6d9f3003d23583f3e153ed34ebff332d455beaa8a7

Size

434KB

Sample

220521-pxalwsgbb5

Score
10 /10
MD5

5b64fe86bc33211f473983d4616566e3

SHA1

2b9b2471a446c2a5e054b7ed6fd17daac765e9bb

SHA256

511911c49fabf8c4744bfb6d9f3003d23583f3e153ed34ebff332d455beaa8a7

SHA512

f0e116a4715199f5c7772693ba23a92a85036b1d59aaf2718eb0ef25a344f0b345488253d8c9dcd453fefc51b695c0f945ec5024a55ed41a7499205ad7283852

Malware Config

Extracted

Credentials

Protocol: smtp

Host: smtp.yandex.com

Port: 587

Username: kelvinjohnmoore25@yandex.com

Password: ezesundayngma

Targets
Target

cotización.PDF________________________.exe

MD5

e73d435515fa8765d7a2992758ad2ef9

Filesize

527KB

Score
10/10
SHA1

277c4e77aabffda266061e0a18f3017bd77a9e71

SHA256

e1cc292b3eb8e646e0c778966a3150d2f278e1394059cf31106301bb003d273f

SHA512

a833faf13c4536bffe2c1009d9bbc2185de55737445281bc3d909e231fff27573ce88bfb7412a1eb6c15b2a396a8cef1b5cfdb8e4c9006f2699bd46ca80f8c52

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • AgentTesla Payload

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses Microsoft Outlook profiles

    Tags

    TTPs

    Email Collection
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                Privilege Escalation