General

  • Target

    4286e12a3e24d185addc75eaccc631a0_JaffaCakes118

  • Size

    229KB

  • Sample

    240514-w89npaad51

  • MD5

    4286e12a3e24d185addc75eaccc631a0

  • SHA1

    26276a65997ab3ce53de4bd9ab67cdfde3ab2881

  • SHA256

    7e5808daa972d856696cec4f73eb47f9ad1138631d8b3bf8db3869c7781aa29b

  • SHA512

    a54a2f1a70d1c42439c7b659fe89ab92eab45c81f87cad6d5e11140ebcdfa4acd4a36cc70c370726c41a733f28c857511b6b1b4bb9acb4d4864a5955efa3f5db

  • SSDEEP

    6144:/bXaJcwKINhUTSUhb5NTyv4SPYPsPCjjmkMYUCEJCq2Ye:/bScwKDSinWv3gPsqjj8zLJpe

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    77.83.117.234
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    J3fP8xWq

Targets

    • Target

      Qoutation for April and Company Profile_PDF.exe

    • Size

      361KB

    • MD5

      9c7be5184e4791e825515ab678da3d13

    • SHA1

      22fc60df7bf113fb67f349f2f23243bdc75cea19

    • SHA256

      ccf82f0f1e542d73385df3b68f7e9fdcae3d9e2a091ea879602ba287b0199203

    • SHA512

      8a67c3c0518f259fa131b44f99a5b3e1e6ffd0b8dd5bf93ab793084ed1b6cd81c9074591666e182b7ca7bf328b9051b045c54a0e4ceee9a2703804086c6bef45

    • SSDEEP

      6144:Ykkwncv0EkiluaTKtjsauEjGUajqCp7GMiQGtCd8CuLmRcCV/LIRDALNXvz:YkkPcoZWhRjGZV74tCd8CuLmRjEZA

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks