General

  • Target

    500578cfba8b85ecd1dd659595b001a5_JaffaCakes118

  • Size

    1.2MB

  • Sample

    240517-rytr9sca5x

  • MD5

    500578cfba8b85ecd1dd659595b001a5

  • SHA1

    723087b7178d692ecd6702dd094c108d454550eb

  • SHA256

    657b4853b0343e6227d5750e7a632cf96e55ae8330a62abef4eec13e00facd5a

  • SHA512

    2839a16d9b54280b0e6350a3614dbae7464eef81dfa78f3d9dc9fa468b4bda3aa9255891649e62f44d10b01df15b661907a81e70e0d2b43d487861728e2e4efb

  • SSDEEP

    12288:OinvknBVQuYP3SWoz0iUXqr60br59Pn3Vk0e:OivOBVmP7viUXO6Ur59P3Pe

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.makezimbetter.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Mah3r@34

Targets

    • Target

      PO_ORDER.exe

    • Size

      535KB

    • MD5

      290c3c0efc61d301d3adb59b61cfeab9

    • SHA1

      2598ff4a8854e0fa44520eea424d9ba4c1cb2ad2

    • SHA256

      4f670101c607562bfd86014483418aaf3e76c63ab2071b21da1ea1eb576f9bdd

    • SHA512

      24ee6d6cec6cfb975cdae1225c67bc259130daa43881d429b65bf54ea1d5d512fe80f990684e4930e00da0d2780ba10803abd51e23cd770bb593ddde08fd9fa8

    • SSDEEP

      12288:ginvknBVQuYP3SWoz0iUXqr60br59Pn3Vk0e:givOBVmP7viUXO6Ur59P3Pe

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks