General

  • Target

    54faae96db26732d8fcb30b45ed9dd5d_JaffaCakes118

  • Size

    649KB

  • Sample

    240518-qxfctaea72

  • MD5

    54faae96db26732d8fcb30b45ed9dd5d

  • SHA1

    4b53c5234353b12474597338d2d0c6abf9861ca7

  • SHA256

    099b24e1801dfdab9db3a4ccf2e57f187c119fd826b8645e6c494d3fda457721

  • SHA512

    971dac0502e9ed0ea6030057e624f6d28c80a13ce3e87bc10819995a1ec3cdfabd15a7e2cee54419e8d9caf43895d227ace66d05bb3efb1a044396e71ccc2345

  • SSDEEP

    12288:ZnTqBYh2ppPFx5nbeEjut+Lfs5abDUqaNdl++r:nhCFxVFu8LfskbYjRr

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    HEoxefZ9

Targets

    • Target

      54faae96db26732d8fcb30b45ed9dd5d_JaffaCakes118

    • Size

      649KB

    • MD5

      54faae96db26732d8fcb30b45ed9dd5d

    • SHA1

      4b53c5234353b12474597338d2d0c6abf9861ca7

    • SHA256

      099b24e1801dfdab9db3a4ccf2e57f187c119fd826b8645e6c494d3fda457721

    • SHA512

      971dac0502e9ed0ea6030057e624f6d28c80a13ce3e87bc10819995a1ec3cdfabd15a7e2cee54419e8d9caf43895d227ace66d05bb3efb1a044396e71ccc2345

    • SSDEEP

      12288:ZnTqBYh2ppPFx5nbeEjut+Lfs5abDUqaNdl++r:nhCFxVFu8LfskbYjRr

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks