General

  • Target

    eb4412b32b90cbff3cff3a2762623f9c_JaffaCakes118

  • Size

    499KB

  • Sample

    240410-rn7w5sea4v

  • MD5

    eb4412b32b90cbff3cff3a2762623f9c

  • SHA1

    5071ad5d98932f0bc81584ce9500efe361166efd

  • SHA256

    12c620e143987ad28fe072cdd8dfc5b0e2cde3492cae25168e13435463323d18

  • SHA512

    016bcf96a4645cc25a31dd996f4c7021cf847498398cfe7c4761a7c4c34ff391b7fcd567ad032483d6f292d59945c41821536cfb75feccbd29e838c88cb6b0fd

  • SSDEEP

    12288:ic4hbmOwD71tJha6QSGUsy7Se75DdWT7/:b8bmOKhtPUUbSW5DdG7

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.videoalliance.ru/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    xq0~K^xsfq08

Targets

    • Target

      eb4412b32b90cbff3cff3a2762623f9c_JaffaCakes118

    • Size

      499KB

    • MD5

      eb4412b32b90cbff3cff3a2762623f9c

    • SHA1

      5071ad5d98932f0bc81584ce9500efe361166efd

    • SHA256

      12c620e143987ad28fe072cdd8dfc5b0e2cde3492cae25168e13435463323d18

    • SHA512

      016bcf96a4645cc25a31dd996f4c7021cf847498398cfe7c4761a7c4c34ff391b7fcd567ad032483d6f292d59945c41821536cfb75feccbd29e838c88cb6b0fd

    • SSDEEP

      12288:ic4hbmOwD71tJha6QSGUsy7Se75DdWT7/:b8bmOKhtPUUbSW5DdG7

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Executes dropped EXE

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks