General

  • Target

    554be553969bba38ee71b2abe52ee6c8_JaffaCakes118

  • Size

    893KB

  • Sample

    240518-r93jjsgh66

  • MD5

    554be553969bba38ee71b2abe52ee6c8

  • SHA1

    8d93b01450fb52f7b12187b17bf5c318fb79d858

  • SHA256

    6c4e1f8d9d65712d50dd63f5ef8bce5c788afcec567f735e035f068d8c859341

  • SHA512

    ec3f3a3d10f13e28a7e29f025a83dac249839cf2c1b59613200cd539808b388fd429b437c41b9feb07fa09ace3f58988daee0a5d4ff92dfc03481a30813338b2

  • SSDEEP

    24576:BZD1cQJRl7oN0RhBIVduQVo28zUOR93hrZgQV/8:LJR+17Vo28d3hZ8

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    nc$jcXy8

Targets

    • Target

      554be553969bba38ee71b2abe52ee6c8_JaffaCakes118

    • Size

      893KB

    • MD5

      554be553969bba38ee71b2abe52ee6c8

    • SHA1

      8d93b01450fb52f7b12187b17bf5c318fb79d858

    • SHA256

      6c4e1f8d9d65712d50dd63f5ef8bce5c788afcec567f735e035f068d8c859341

    • SHA512

      ec3f3a3d10f13e28a7e29f025a83dac249839cf2c1b59613200cd539808b388fd429b437c41b9feb07fa09ace3f58988daee0a5d4ff92dfc03481a30813338b2

    • SSDEEP

      24576:BZD1cQJRl7oN0RhBIVduQVo28zUOR93hrZgQV/8:LJR+17Vo28d3hZ8

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Drops startup file

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks