General

  • Target

    a2c76f1d92fa89671867f90986a86a87_JaffaCakes118

  • Size

    588KB

  • Sample

    240403-wk9c1sgd5s

  • MD5

    a2c76f1d92fa89671867f90986a86a87

  • SHA1

    856585e784b7280d136b8129553aa0ad92a8ea3d

  • SHA256

    55aed03e89170a5d23ecff52a4f5a8ea81fa921aa37d19c3d807c7b2078cf3a2

  • SHA512

    2532fb9a3a29e473d3b5d33eae522c075b5f4a9ab77f1e8937901834c0bfb9beaf1b1e0d3bb25d9fb0ffb3bfaf9b1b3c3c4dce64e2a9be1c8f309721c2d457f4

  • SSDEEP

    12288:Z8fWn0aWPNi/NAGbVDajr/V6tvC69WIp8mle3PMH9snfp:ZAaVDE7yvCIG3PZ

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot2046248941:AAG5Z0PyWwtApmPaysBm59voK10ec9Rgnaw/sendDocument

Targets

    • Target

      a2c76f1d92fa89671867f90986a86a87_JaffaCakes118

    • Size

      588KB

    • MD5

      a2c76f1d92fa89671867f90986a86a87

    • SHA1

      856585e784b7280d136b8129553aa0ad92a8ea3d

    • SHA256

      55aed03e89170a5d23ecff52a4f5a8ea81fa921aa37d19c3d807c7b2078cf3a2

    • SHA512

      2532fb9a3a29e473d3b5d33eae522c075b5f4a9ab77f1e8937901834c0bfb9beaf1b1e0d3bb25d9fb0ffb3bfaf9b1b3c3c4dce64e2a9be1c8f309721c2d457f4

    • SSDEEP

      12288:Z8fWn0aWPNi/NAGbVDajr/V6tvC69WIp8mle3PMH9snfp:ZAaVDE7yvCIG3PZ

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks