477b21660b3ecaf3a5822b9c46a8b0790755b7506c6ea1933177cd82bcf440ef

General
Target

477b21660b3ecaf3a5822b9c46a8b0790755b7506c6ea1933177cd82bcf440ef

Size

382KB

Sample

220521-xmc82afdap

Score
10 /10
MD5

425d2299a175933b983b6b48b35113f8

SHA1

5ce6fb416c6ff1b2f25315fc20aed00ef06c367b

SHA256

477b21660b3ecaf3a5822b9c46a8b0790755b7506c6ea1933177cd82bcf440ef

SHA512

ca63461431131441de87eb7c04d2f7d1e23431d7a88a48926849b4cfb6be4532dd15639abb643da004a5545746e47b3a2685d9d7bab9fa3647bb565ede82ff21

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: smtp.ionos.es

Port: 587

Username: bailen@famorga.com

Password: Famorga2017

Extracted

Credentials

Protocol: smtp

Host: smtp.ionos.es

Port: 587

Username: bailen@famorga.com

Password: Famorga2017

Targets
Target

INVOICE.exe

MD5

a4975ac7f40ccf4d1803e8edb97dce9e

Filesize

416KB

Score
10/10
SHA1

2c7d642447cfb2a4b1ce65659ed383b0c96f11ed

SHA256

fda1d068f7b5e8dcbaa65b83088db628ebc9e6420a9fdd258fb5f62bcb4b0935

SHA512

e7b9c414498f1bf101aaa8a77f94266acf6099cb62e9027a8707d71195ece5f67c48745e3f72b7f77ea15bce803990852f3668c8069b2ab4e49b527e4165a681

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • AgentTesla Payload

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses Microsoft Outlook profiles

    Tags

    TTPs

    Email Collection
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                Privilege Escalation