General

  • Target

    COMPANY CERT PRODUCTS LIST_Export Inquiry.exe

  • Size

    195KB

  • Sample

    230331-qndgvshf56

  • MD5

    9c2b44cf6b61e7c6eef66f5076b8bde2

  • SHA1

    aad664a9c0068982ef9b4f88e4985c5dd1f482eb

  • SHA256

    1f84c574a2f7836be22289a50c618d60dca14790609889eff1e25f8cdf49f468

  • SHA512

    d8009da77277065f003148fc1bb8b69e52c88e89c06eb1d3ef6e87d5817d15a66b7ddfc197ad8fd174a205134757c6b7cbcb55d4d58a8e3cc131e177d42e485c

  • SSDEEP

    1536:9748+jZ4I1r31G7qi1xnibNUCzWWWD1H:97DkjInibNcH

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.falconcoldstore.com
  • Port:
    587
  • Username:
    sales@falconcoldstore.com
  • Password:
    FCS@COLD2017

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.falconcoldstore.com
  • Port:
    587
  • Username:
    sales@falconcoldstore.com
  • Password:
    FCS@COLD2017
  • Email To:
    frankgodsons@yandex.com

Targets

    • Target

      COMPANY CERT PRODUCTS LIST_Export Inquiry.exe

    • Size

      195KB

    • MD5

      9c2b44cf6b61e7c6eef66f5076b8bde2

    • SHA1

      aad664a9c0068982ef9b4f88e4985c5dd1f482eb

    • SHA256

      1f84c574a2f7836be22289a50c618d60dca14790609889eff1e25f8cdf49f468

    • SHA512

      d8009da77277065f003148fc1bb8b69e52c88e89c06eb1d3ef6e87d5817d15a66b7ddfc197ad8fd174a205134757c6b7cbcb55d4d58a8e3cc131e177d42e485c

    • SSDEEP

      1536:9748+jZ4I1r31G7qi1xnibNUCzWWWD1H:97DkjInibNcH

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks