General

  • Target

    971b4920c07330e68bf402bfd1f8bc8f_JaffaCakes118

  • Size

    434KB

  • Sample

    240605-d47dnadb21

  • MD5

    971b4920c07330e68bf402bfd1f8bc8f

  • SHA1

    611a2e34399043c34dc39fbeb14e42c1183c01da

  • SHA256

    18be8256c63f4991a328ebbc9866294589609a4fa562a203a74051d2919d7f2e

  • SHA512

    80224a614566131fda8f26197854bafffec6c6317953399a7ab6a3da6d6e9926b64df3c1635864c1c916b140633710d8de1b39e1bac1299d03fca6d653b5a944

  • SSDEEP

    12288:YrFXmUP61FC34hYyRd8R0xp2R8MLCnE8AZkRa4L+Q98:EgFbhYQk0xp2RPkRaz

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    1989dennis

Targets

    • Target

      971b4920c07330e68bf402bfd1f8bc8f_JaffaCakes118

    • Size

      434KB

    • MD5

      971b4920c07330e68bf402bfd1f8bc8f

    • SHA1

      611a2e34399043c34dc39fbeb14e42c1183c01da

    • SHA256

      18be8256c63f4991a328ebbc9866294589609a4fa562a203a74051d2919d7f2e

    • SHA512

      80224a614566131fda8f26197854bafffec6c6317953399a7ab6a3da6d6e9926b64df3c1635864c1c916b140633710d8de1b39e1bac1299d03fca6d653b5a944

    • SSDEEP

      12288:YrFXmUP61FC34hYyRd8R0xp2R8MLCnE8AZkRa4L+Q98:EgFbhYQk0xp2RPkRaz

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks