General

  • Target

    e7666b9120295666851ea1749699ab14_JaffaCakes118

  • Size

    818KB

  • Sample

    240408-n1q8dabg61

  • MD5

    e7666b9120295666851ea1749699ab14

  • SHA1

    8fb07dc7c409561deb52d06b57ad351ab858995c

  • SHA256

    ef2dd9364aac91580b27b37735c1f1e885dd8edf3bbef2f0ac972d73799c0070

  • SHA512

    19d8238bd8578c204ec72a001fb2f7a634ac40f7f591e99e0ccbf11ecbf74deb86d2f7dcb7a5989e613ea807cff3c47007551731f4400554eb9b8556e5a91b99

  • SSDEEP

    12288:Ppxr4lsNOMIl6elGNc5c7QlG//Knd+iz8RJ5EzcKrNfASpiJ/rO2iN:Pfrtc5MQ6CdqRJ5EzcKrNfASw/rO1

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      e7666b9120295666851ea1749699ab14_JaffaCakes118

    • Size

      818KB

    • MD5

      e7666b9120295666851ea1749699ab14

    • SHA1

      8fb07dc7c409561deb52d06b57ad351ab858995c

    • SHA256

      ef2dd9364aac91580b27b37735c1f1e885dd8edf3bbef2f0ac972d73799c0070

    • SHA512

      19d8238bd8578c204ec72a001fb2f7a634ac40f7f591e99e0ccbf11ecbf74deb86d2f7dcb7a5989e613ea807cff3c47007551731f4400554eb9b8556e5a91b99

    • SSDEEP

      12288:Ppxr4lsNOMIl6elGNc5c7QlG//Knd+iz8RJ5EzcKrNfASpiJ/rO2iN:Pfrtc5MQ6CdqRJ5EzcKrNfASw/rO1

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks