General

  • Target

    $57,000.00.zip

  • Size

    482KB

  • Sample

    230330-paa9xaea3t

  • MD5

    bf6e7ddff7bf957553ac390178728581

  • SHA1

    2fd0f25edb546046a6b52412e98f1c563493e87c

  • SHA256

    f3caeea10bc33fbf3a105e0b10998ab1053e95a0df9a9ebdee936f4ac6f1e8d5

  • SHA512

    f758ae8a70fa3376a884e6317cceb3173357bd205a8dbd1899e743fa5777fdd421e54d86ddd236b226772f6c9b620a4f93a9af7e4af31883871840deae3df8eb

  • SSDEEP

    12288:OvTiqu42mOMHQbGeGnuih+MGcUheRTzRHb:O9ulVbrRK+MG3eRTd

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.southernboilers.org
  • Port:
    587
  • Username:
    info@southernboilers.org
  • Password:
    Sksmoke2018#
  • Email To:
    obtxxxtf@gmail.com

Targets

    • Target

      $57,000.00.exe

    • Size

      709KB

    • MD5

      bf7e3ea1bbaba155ce9079dc9e959501

    • SHA1

      be73007a9ea47dcd70ad4c17f239a78c709829d8

    • SHA256

      8107f9ab5c5030afbbbebfd98280556cc08697cffa66d45548c5e012209d9184

    • SHA512

      ee89bdfd7557ef43f705c5a14e01bbbda3cac74d3ef14361cb4ebe9b45afc22be2e437acc68886abb92fcad8e9145f205956f7c23c348a625f79e28b9ad600c4

    • SSDEEP

      12288:hxBZWR942mwMHGtGeIn+ihCMGkU0yywVn3:h1WR9lptrNKCMGIwV3

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks