General

  • Target

    payment receipt.zip

  • Size

    615KB

  • Sample

    221129-qms6xsfc5z

  • MD5

    42f697281443db23a08b82fdad84a19e

  • SHA1

    9cb2688c1696b57843c79f236b62a665b67a9942

  • SHA256

    7877c4bba8677a8d98fba31b8fb46526303863b520d35ab3cdcd3436d4bac2b3

  • SHA512

    4dc5739c2bac8a8cecc55cd37b2cc8b6a4f69126e9e5af47980e2cf77eea4a3114691d89b803e07af397904987928f72b8caec686de78df3a29c4ad1ad5738ea

  • SSDEEP

    12288:Y9N8GyU/fFNqK+1vhgbOYE9lSG+s/gL69LNoTZ9K3dI+RP:uZVNo6bOVSofxNO0G+RP

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.sseximclearing.com
  • Port:
    587
  • Username:
    saurav.roy@sseximclearing.com
  • Password:
    Ssxm@9854
  • Email To:
    maxitears7@gmail.com

Targets

    • Target

      payment receipt.exe

    • Size

      777KB

    • MD5

      933c54fec2b05a8dc386623a79f5fed6

    • SHA1

      b70e1861d76cd1a37810fe91ec74cb1848011642

    • SHA256

      f71c278f8f31eb5aafb97b9b8cc6c7f6b2aea97c80bca11ddeede2b7df8b1ee5

    • SHA512

      c25cf1155283841af5b0d510f168837c74652251f969ec55663c2d6174e593cc4f198387be11be2cf187f43f2de2e2e76b09f69c5c063e1cf898280d3760d4de

    • SSDEEP

      12288:oKdsGfZFr5cE8LHWt+zvhqbcIERlSCWs/OL6mMk/SEdRMA/LyzIPPPu6gt:5WvL/YbclSa5mt9/LkInst

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks