0e643a127fdcae3f0ada30f6448e0db52e1220b591da686d5b6895e5a26c1efa

General
Target

0e643a127fdcae3f0ada30f6448e0db52e1220b591da686d5b6895e5a26c1efa

Size

637KB

Sample

220521-xfajkabeh5

Score
10 /10
MD5

6146ab2e2854342da1d82704c5821515

SHA1

7d379cebe5cab6a8a8a8a78f8b2891c5726645bf

SHA256

0e643a127fdcae3f0ada30f6448e0db52e1220b591da686d5b6895e5a26c1efa

SHA512

0f359320973ce053e36ccb2871d4b75ab5fbbed025a69233215c3c40a10cd3a6a5343c81edabf7ee220b1135288ff7e208e5deda70cf118a6b98ec19e931c637

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: mail.cka.com.sg

Port: 587

Username: agnes@cka.com.sg

Password: agnescka82

Extracted

Credentials

Protocol: smtp

Host: mail.cka.com.sg

Port: 587

Username: agnes@cka.com.sg

Password: agnescka82

Targets
Target

NEW PO.exe

MD5

a6da76fa51f029d56650a892efc0f353

Filesize

552KB

Score
10/10
SHA1

1e23cde32f44ea7e2eb4a23248a8c7d40b595e2c

SHA256

80f41a09d12356205262bb77b16daeaf2a284a89fd737b042149a4207f16c702

SHA512

a1b4d0ca8066f83453004eac7e73baf94575d4af45f2a00c1fe42bff70a8375105a685efecad2c52604ecf3b5e9300650588fdaf9cb1330e00ba00795b5832b9

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • AgentTesla Payload

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses Microsoft Outlook profiles

    Tags

    TTPs

    Email Collection
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Suspicious use of SetThreadContext

Related Tasks

Target

PO.xlsx

MD5

afb6307bf393aff2ba6e8b8c0199ff89

Filesize

14KB

Score
1/10
SHA1

51868fcf5f7c73937fd075fe25ffc191ac41c6c9

SHA256

4c81af66f036af9fdc5a53acc90b91d5e0a369978e5d186847bce31b52dc7484

SHA512

49c6ed8128b2f04177960477eb4995ebee8fa59537da1f94b599e16a4b3f6faf30a44bb63bdc51dbba99dcaa9632066e5d2af81321efbbde5de774be66e5c80d

Related Tasks

Target

Quote for 20FT Tank Containers CYPRUSx.pdf

MD5

194071ad3eccf329f3cd8aed324767df

Filesize

113KB

Score
1/10
SHA1

333416d0c58eed30b7c4cdfbd13dd76ebf5149c9

SHA256

3fed114564e25d121f53f45426c0c4b17449229194e3fe7b411640250389963e

SHA512

7e6445534679226a07875d83872a7a9ba598242c0c16b3a22f7b3c68b1f1980f5b325da9ffb4b2568edfb610ac2ec496fda8a6a9ee23317cf5bff88eb34cc571

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Exfiltration
      Impact
        Initial Access
          Lateral Movement
            Privilege Escalation
              Tasks

              static1

              behavioral3

              1/10

              behavioral4

              1/10

              behavioral5

              1/10

              behavioral6

              1/10