2684031accd6c43abe67d62f1901374970f18999c51c7fd19d0d047ea7232fb8

General
Target

2684031accd6c43abe67d62f1901374970f18999c51c7fd19d0d047ea7232fb8

Size

366KB

Sample

220521-xmjqtacag5

Score
10 /10
MD5

43ac4837ede606f770bdc08667d5ed13

SHA1

526bfef123357bba6ba8b347bf7f82ce294954e4

SHA256

2684031accd6c43abe67d62f1901374970f18999c51c7fd19d0d047ea7232fb8

SHA512

e3fdcca4f025d770d4fc95b76f6b19b358b70a51a9f5eb93c25dece3738d1357e0bea7a81693020f964fe5ee444978ddf278a02764738202058980065171e512

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: smtp.yandex.ru

Port: 587

Username: jaffinmark@yandex.ru

Password: @jaffinmarknma@344

Extracted

Credentials

Protocol: smtp

Host: smtp.yandex.ru

Port: 587

Username: jaffinmark@yandex.ru

Password: @jaffinmarknma@344

Targets
Target

RFQ140820.exe

MD5

09013774aa4a7b0a4394f394a0f2fb42

Filesize

411KB

Score
10/10
SHA1

9cd0e4e63f41ffedb73cb26b73dea0ea661fd216

SHA256

6011714f77a9cfdf682b04df3490a0ca227d9a64074946304b8ccd0c83e6264e

SHA512

f5676ee01bc1aeaf3877202dddcbbfe68921ef2363f4b70f907b05ba3921e519c50f0cb780ae52245894079b49b134f42c2352c2170a3c1f31842e9da7451d56

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • AgentTesla Payload

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses Microsoft Outlook profiles

    Tags

    TTPs

    Email Collection
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                Privilege Escalation