General

  • Target

    c259b8829b8122e2c53e6ae18f6077aa5587848c15f2225cf8a3da9dfac7ccda

  • Size

    507KB

  • Sample

    220521-xjj76sbha8

  • MD5

    49d88fadb69db6aff4878d756f50c9ff

  • SHA1

    4293dd56e609e41c184efccfe5ee32ef06677aae

  • SHA256

    c259b8829b8122e2c53e6ae18f6077aa5587848c15f2225cf8a3da9dfac7ccda

  • SHA512

    5cb084cbb4b5a0b34bd23f9feef894e83aad5ab6b7c64bb9f0aa7b674f850391c6ba48512110ac01c959f6a0947c31f57b9bd8477c02d1d8c5436b2b5d51a117

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.persisiciptautama.com/
  • Port:
    21
  • Username:
    log@persisiciptautama.com
  • Password:
    invisible1234

  • Protocol:
    ftp
  • Host:
    ftp://ftp.persisiciptautama.com/
  • Port:
    21
  • Username:
    log@persisiciptautama.com
  • Password:
    invisible1234

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.persisiciptautama.com
  • Port:
    21
  • Username:
    log@persisiciptautama.com
  • Password:
    invisible1234

Targets

    • Target

      Delivery Note - AWD 200038485852- 2349203000700.exe

    • Size

      692KB

    • MD5

      edf7233e91d854d4fab7545bb95b54fb

    • SHA1

      664d328cc91fba9637532b05d1e188241b2fabcd

    • SHA256

      b66a9674ccc165eebf25c3e0328e5af3435761cb21b18210d5d25cfba72f0a12

    • SHA512

      f258ebc3094ed8542f0d446a61fcbd542a674a0e8216af77aa4ba4dcd1cb9f6be642d1b76f9b4558ebec8a644c166f1b4fed5ed53c520cfa56d28e9f72caff9f

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks