General

  • Target

    QUOTATION.zip

  • Size

    427KB

  • Sample

    230331-l9ngqshc53

  • MD5

    ab48236e894a48db135c0e367093ba22

  • SHA1

    6ab2aa1c63f182837466480ad0695128b27cb534

  • SHA256

    e28188df2ced3fb282c0ad2f7fb0104df0d090aa9ca0435840af48f9c279f5d5

  • SHA512

    a426178a3c99d393173d099d72ac999cbcc8034e6606a91a2f01edb1babb9c2813919eea24187325f7ffd9e33b28c2aac10ab205b632c6f1060a1ba90b1d9d7a

  • SSDEEP

    12288:IlevCUDOjCwULASpTW4+ziH32ZV6Q5h9hg5kq:IlevC+qKX2ZV6laq

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.southernboilers.org
  • Port:
    587
  • Username:
    info@southernboilers.org
  • Password:
    Sksmoke2018#
  • Email To:
    obtxxxtf@gmail.com

Targets

    • Target

      QUOTATION.exe

    • Size

      646KB

    • MD5

      50d792a1ee7059bfaf34afd54b32cba8

    • SHA1

      a4b32d17b36b20155545927450a43eb2d117a306

    • SHA256

      1b85fb5069a28ee305b4371bda09a96674ec37d9ebc52aecdb6c6245419f067f

    • SHA512

      85b75b15bdc59e7b12cae69c0d3245ef7b7d45cbb0a1a5e09232c03844400883dfe01a81a4d69752dcd43c7568f96e747959a28adb08e10c72aefa06e623afea

    • SSDEEP

      12288:AKPFSP0zGiyywVbU+zi93cZ/6QlJ9hS2H:AiFSsGUwVbuFcZ/6d+

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks