Resubmissions

General

  • Target

    9756289d21773a4aa80a20bbb4ca43e2_JaffaCakes118

  • Size

    417KB

  • Sample

    240605-grb9jaga2v

  • MD5

    9756289d21773a4aa80a20bbb4ca43e2

  • SHA1

    831eeb674e68759363d3d6109e0f51a04492394f

  • SHA256

    791a1952802fb90ab83d9644b7c34783e2081144ef9511476060abe50b867f3c

  • SHA512

    5246f53e0fc365cb66c750c51d64dd8eff92e2cc2ad20403f0d00c754686a1e2862128e11c7c5e0498c9874785b5ba2f0a8589b2de3be5d6e9507eed17b1b58b

  • SSDEEP

    6144:EaEYEMpCPhoXnEkHWgjdG4bC6LAWgFPBdmmBydBqnTorpFVBcoseun7wrBbVrLmY:tEY2c7jA4b4Wgd+mBydBhnzseu7KBlvj

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    nc$jcXy8

Targets

    • Target

      New Shipment nvoice No..exe

    • Size

      893KB

    • MD5

      554be553969bba38ee71b2abe52ee6c8

    • SHA1

      8d93b01450fb52f7b12187b17bf5c318fb79d858

    • SHA256

      6c4e1f8d9d65712d50dd63f5ef8bce5c788afcec567f735e035f068d8c859341

    • SHA512

      ec3f3a3d10f13e28a7e29f025a83dac249839cf2c1b59613200cd539808b388fd429b437c41b9feb07fa09ace3f58988daee0a5d4ff92dfc03481a30813338b2

    • SSDEEP

      24576:BZD1cQJRl7oN0RhBIVduQVo28zUOR93hrZgQV/8:LJR+17Vo28d3hZ8

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Drops startup file

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks