General

  • Target

    a3f7e5c2164d5386bb4161fc9e8e0881_JaffaCakes118

  • Size

    531KB

  • Sample

    240403-xlhr5aaa78

  • MD5

    a3f7e5c2164d5386bb4161fc9e8e0881

  • SHA1

    44cd5fdf36eea5df109549108f7ca371ca197057

  • SHA256

    9688972a550182710459937ac8beaf2648614e12b041729732c6c31503b1aff7

  • SHA512

    ab63a704f67f98dbb9ba73df6ae9bcda5677821512f3709626f29a497d4b692a6a6c9ca5d5e37960b8564c5e87aee69ec495159c1c0c7b7558e09d1cb5ec0af2

  • SSDEEP

    12288:sseq5cNHSyfeM8RwvQFWupJY1lC3eVXgtsmyEyjwysS7EvdAXJd60:sseBN0RQCKCDZyjAS7uUz60

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    e)cnIdR1

Targets

    • Target

      Scan0020.exe

    • Size

      638KB

    • MD5

      a2db85fcad3878617112ac3266282587

    • SHA1

      57fb3301594c5577e6c39fdb6388883995cf24d6

    • SHA256

      f88b736fe32b6e458ce63fb67b8bf0ebf6388e6e35e23bf9bcb46893375115f1

    • SHA512

      742b317d09599b21ead1b570ebfdc0dc27197755456090041d56fb2c1e1077ac7f9cbbf77b82d567155db5090acabbae6f8cb1b1692df61ab1439d1cebcc0cbc

    • SSDEEP

      12288:KI+asIzXZ9hvqT2dsWA+DMmyA8wyFtySS7WEZ2a6GwIL8XzuH0:flyuR1DMmryDE4g

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks