40d5bbe1d42fcbf09fa3789174d04f8a07c44417ecf1b9823a9dda4f399c12d5

General
Target

40d5bbe1d42fcbf09fa3789174d04f8a07c44417ecf1b9823a9dda4f399c12d5

Size

677KB

Sample

220521-pxqccabdcn

Score
10 /10
MD5

dd160559c24405ee18fec9e2399ee5b8

SHA1

16d80bfca6be01b9e0a5fa609272720432bc0e21

SHA256

40d5bbe1d42fcbf09fa3789174d04f8a07c44417ecf1b9823a9dda4f399c12d5

SHA512

350b167dd3318bf30e783cee187837cf155b380ba4015363a9f5755d3076de82a34138bae616af59e703f9fc6096105747fe17bd2fd1ccebb3eb3125de42f605

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: mail.varda.com.tr

Port: 587

Username: info@varda.com.tr

Password: varda9997929

Extracted

Credentials

Protocol: smtp

Host: mail.varda.com.tr

Port: 587

Username: info@varda.com.tr

Password: varda9997929

Targets
Target

Quotation Request.exe

MD5

cbfff4b18ad63daf6990e48335a7aa1b

Filesize

1MB

Score
10/10
SHA1

76b04133c97c8689d1f4d567103775cc91e67236

SHA256

55dda2889a2fae3ddbe54c70a6ff687d366887a672502d00513543bb9aa482f3

SHA512

72e9b65ebc3452adc6f8ad83b5951f8d27eacfbcc01061243f3f989545e0076afc650eefd1de876ae91248c6be7c9ebdad85ccaf8d2b1ec91d7c8d9d4b26377b

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • AgentTesla Payload

  • Drops file in Drivers directory

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses Microsoft Outlook profiles

    Tags

    TTPs

    Email Collection
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation