General

  • Target

    aa7ed6764e239ff973c34ee9c96a3477_JaffaCakes118

  • Size

    544KB

  • Sample

    240614-s6gy4sxapf

  • MD5

    aa7ed6764e239ff973c34ee9c96a3477

  • SHA1

    678b42d7d05a1e38b57ae7edcad4ac2b272a1071

  • SHA256

    250767d2c74519fe12a67bdd1623889e860ac32c27b375416b548f9714ff6aff

  • SHA512

    5a93aa871d15aa4f96fc8b638e1d9a13e9e7af6e289b9a323bd2d9c5fcbd9bc1200c562392ba40f2da289b80bcff5def496e74afdad9f0699ef8ef953bf69f33

  • SSDEEP

    6144:tOscs+/WwQzFC5RSVUj6Bq31DUy0gPm6rQN+KbkP+6obTi7Qhu6HTeeReDGSGROL:8sclPQRVUqu1DUp6rrnpQ446GWyNO8w

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.trinityealtd.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    T@Trinity

Targets

    • Target

      aa7ed6764e239ff973c34ee9c96a3477_JaffaCakes118

    • Size

      544KB

    • MD5

      aa7ed6764e239ff973c34ee9c96a3477

    • SHA1

      678b42d7d05a1e38b57ae7edcad4ac2b272a1071

    • SHA256

      250767d2c74519fe12a67bdd1623889e860ac32c27b375416b548f9714ff6aff

    • SHA512

      5a93aa871d15aa4f96fc8b638e1d9a13e9e7af6e289b9a323bd2d9c5fcbd9bc1200c562392ba40f2da289b80bcff5def496e74afdad9f0699ef8ef953bf69f33

    • SSDEEP

      6144:tOscs+/WwQzFC5RSVUj6Bq31DUy0gPm6rQN+KbkP+6obTi7Qhu6HTeeReDGSGROL:8sclPQRVUqu1DUp6rrnpQ446GWyNO8w

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Tasks