General

  • Target

    555f8f7bf9625f2abb40baaa9bcc58a7_JaffaCakes118

  • Size

    649KB

  • Sample

    240518-sl7c9shf28

  • MD5

    555f8f7bf9625f2abb40baaa9bcc58a7

  • SHA1

    bf619be36083ea29387d0046f3bb051b02b8a93f

  • SHA256

    79824756e871c291ced605421479921a1ae4cce21777c9173d124f516b4acd23

  • SHA512

    10e6a1feaedd13de86ada3ec9786cbfe34eec57e720f4b78d8bd97ba9a1f48ba96170abf0fbef4ec8d3299aee59bf5a91e00a3ffce6498fc584f3cc8bee8edb1

  • SSDEEP

    12288:HhTnOKHz79bwUvrAqqJONcMQPnaYxaIGIbMVjsSWihQwXD7ias2V3NRwQ:HMKT79PvvqIcMQPnjaIGIbqjtbVXD7r1

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    kingmoney12345

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    kingmoney12345

Targets

    • Target

      Shipment Confirmation.pdf.exe

    • Size

      721KB

    • MD5

      c43712a220c16a8b4b34aa87d512841a

    • SHA1

      a65860e3aab9c0b3ddc85dfe637d0f20a28b082f

    • SHA256

      8a4a88659d3c4afd400027535885406c187ef780b4ac69a5f649d41b6f4a0278

    • SHA512

      90a52acd4e6d6bc8fcd5cd1b437defbaaf39178b9681ff0fa7d75d4bc85e62aafb91edb95f730cf0226cd41cec39274dee03845ab488d92607d18f46c6e7a082

    • SSDEEP

      12288:WJXhe51p09ATlOF3HWR398LivZV0nS/bXqfqxwusfGHKMY2UsI9WrhPgaI:WJMriATGW7uiv30KbqiiRlMYgIA4aI

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks