General

  • Target

    d9e6cec88ebff6f971f3029bdba2ea6709a93cea73cb0e14f59d6f0f96727ee4

  • Size

    496KB

  • Sample

    220521-xjgr2sfbcn

  • MD5

    2e7f4bdc20dfecd05e4770182ebe83ce

  • SHA1

    8a16b58665915003071f4680dde5f35fb51f3f5b

  • SHA256

    d9e6cec88ebff6f971f3029bdba2ea6709a93cea73cb0e14f59d6f0f96727ee4

  • SHA512

    183f2176225fef73e370930c7416dee8a14d94edf7750b5d052c6801756521963974ca6874ba0425d30855f20b1242ec324043ad32daf5d36d96b5b22e02e61e

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.visgring.com
  • Port:
    587
  • Username:
    px@visgring.com
  • Password:
    uqtQpAv1

Targets

    • Target

      Invoice.exe

    • Size

      533KB

    • MD5

      676213812fcd942f150519418bad81f0

    • SHA1

      63c6513df8879238baef6869bd2c2c5324626337

    • SHA256

      c8f62dda091a29ed35c26e212840d0c260c9f420f5a7940b2b1f088ad10a3c2d

    • SHA512

      945e542fc9dca0dc00f342749fd4662fadf68b2284b8955211771f8a4d2bf897e12ee10fe9435b57bdd757aa954a239ed0f42d5e787f827113e69f825262b730

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks