General

  • Target

    fa35b2b88c45608c33f3628df54de5ec_JaffaCakes118

  • Size

    607KB

  • Sample

    240419-nqasmsbd9x

  • MD5

    fa35b2b88c45608c33f3628df54de5ec

  • SHA1

    f77f6af3945ea45545e7c5da1a3d95f72338d742

  • SHA256

    8fa84e1705f2a7b8292642547132be7aa6f6118b410f25b176e66729fb571f9f

  • SHA512

    1a0d87c6e87914f2207181a6d1c31f2308fa9ca70a5ba4a35f2ce0a9889f10a8374b75a62a24fb8b6ae2667d117cfe282673aa9694eccdec47377840b85b60e9

  • SSDEEP

    12288:pSXSHpHqufXuuPQjNIYyzm0mPP/g8HrbwoaHTlUxvbTauPNqa:wXshPuotVKo8HrbsH2xDTauZ

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.ananthahotels.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    india225@#

Targets

    • Target

      RFQ-41845597.exe

    • Size

      554KB

    • MD5

      03ebac4b300318683abedd76cdb7bde6

    • SHA1

      b475b0079d963fc7198cbc12f4f3447ce95da352

    • SHA256

      9bca070ab37ea78134d5e9a5203521570bddd110e8ea8a620b702c71ecd89d54

    • SHA512

      f9b68b6463872018f20f7fe39d94afe823bf5f47b188c90311c2f6e478822cac435fe7158307cfeb409b243d72d1e865cdc3024d6ca6461ea1bee4cc9d8a743e

    • SSDEEP

      12288:BzpH6Ibw8eGm9/5srz16kfmTG+gkodqJFTP:BVdbw8eGm9hsn1cG+zEq

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Tasks