General

  • Target

    RFQ Inquiry sheet.rar

  • Size

    753KB

  • Sample

    221208-ng8cjscg6v

  • MD5

    5c57273193ec5af96b9bfb2edc8fe6e0

  • SHA1

    c04fc764317efbe8ec0c82259d4fe96b0f02639d

  • SHA256

    6b6e0545ff5704d86b762ab424849e1ce93b921aaab6840a0af4bc265dae1c15

  • SHA512

    cf5e2646bea7d64079bb3b0c650ff6f6bc1a2d17d9103f4d4d342660046cb23d0fde28a340f9dfd17e59e024abcc8a92bf220f86d0959320e7419ab0eebd97d4

  • SSDEEP

    12288:nJO12E+1YfFySRzJJVoyj6kN306c/mYPyH7uBn7vQO9Xi6MV1octeP712OiKCU4a:n31YfJNyyjN9y/Q7Mrr9Xh2EVsm

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.togotaxgovernance.com
  • Port:
    587
  • Username:
    data@togotaxgovernance.com
  • Password:
    bScS(yyM7

Targets

    • Target

      sample order sheet.exe

    • Size

      916KB

    • MD5

      15e12b5617dfb66d983963368dd80fc2

    • SHA1

      dc6aeb6d475168ca144b739eea005de0d4ff905d

    • SHA256

      24db2e7ba38ff5dc81c50e2b03c174de23cad2b480bb82a989b00f12767e19a0

    • SHA512

      8cb6a582ea70566f15f48186bab7b02ce23797c7f97f26ad520f908aecd076eb51f5c86eee2cafb93c2bb1b00f17fa6989877271a03e9fd88c5e5aea337161a5

    • SSDEEP

      12288:d2PFilGPtdUASF1cpeVBe9Brd52WBKG1dzBomLtx0M3UyapY+ZmBjHUk+q7K3o3n:U9iUl9SF659BrdUtgdmssmihZmBHM

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks