General

  • Target

    e07eff7ce4bb2af1d6b8c3c564b66b19_JaffaCakes118

  • Size

    1.2MB

  • Sample

    240406-kq132sfd59

  • MD5

    e07eff7ce4bb2af1d6b8c3c564b66b19

  • SHA1

    d08a18116685a51729f3653d275a0b7a3dcf0997

  • SHA256

    59f4b8d890618bc836dc9fd9bf4c40a1aa6dc7264d6dbbcd3964c3ff5f7e7231

  • SHA512

    f6708a8e48fc2f5f64792ffe547ab6e032d3e79d8423d87caef749164169fea4881e288b48cabc4bfaeb7121131e705c8bd2cc4d0535bea9a58b337966893edf

  • SSDEEP

    12288:gIF/jmBcdGXTK8+2K+Pjf/dKl1niU1vvxWSgjvwd5uDqt3Wvwki+LHuXifkIKtqk:5wadLCjfglUwvxWN4T3pk5ht2xBZ

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.hdconstruct.ro/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    5R)XZ2Xqis2HZ7p[d6+Oe!0i^C85CQ]uD68jNN@ossy~wH-(ie^9O2(001174?skX%ouFto

Targets

    • Target

      Document_BT24PDF.exe

    • Size

      822KB

    • MD5

      7c1be3bb77ce7fecad1e6d142db95fbf

    • SHA1

      63c170cebb0e1ad1104897e8837bf14eb5c08cbd

    • SHA256

      187cdd0639eb10e50f060de4cb487920a65628104f66a0aeb12c5404a55fe298

    • SHA512

      74df0f90d3d92bd0993e4d519105d327c725cf4c10bddb57cbf6a87f10cd7ef2081830813d3ca2b3a9c80560f67808b13d7c5d3c24535d1ed4f45b4ceb9037f2

    • SSDEEP

      12288:mecSSWLU423D7R+5vmVfa4NQDOYyTjTtmJzOHZ+vuF1HXSQoro36nzhdGjKqAXzC:4zWL67R+unuDJ+ssHgu7CQoW6NGqmIS

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks