General

  • Target

    b7ec3e3e0f5c3114dc06399434178cb3_JaffaCakes118

  • Size

    402KB

  • Sample

    240617-lkrg4avdpa

  • MD5

    b7ec3e3e0f5c3114dc06399434178cb3

  • SHA1

    681b25c5532f809013da67c5f07a5af8ab3c5659

  • SHA256

    36bd1b916c5fddc7cab66f5cf0dc406849b3d6eab594c47896475daca4f84766

  • SHA512

    483e3b0b076078843c338ae02d414e74b27b06c5e21dbca126a1851b867684565ea4a366db01867d7c3a05f8eff190af9b44faf5f79148741d8947651b144e74

  • SSDEEP

    6144:1JZj3XBjlkq27zgxRflcIjGzYwTw0FnCK55UbpPgHhrhP5nq:xzZo7cvflcI+b5ClgHh9

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    66@Xc5120/$/

Targets

    • Target

      b7ec3e3e0f5c3114dc06399434178cb3_JaffaCakes118

    • Size

      402KB

    • MD5

      b7ec3e3e0f5c3114dc06399434178cb3

    • SHA1

      681b25c5532f809013da67c5f07a5af8ab3c5659

    • SHA256

      36bd1b916c5fddc7cab66f5cf0dc406849b3d6eab594c47896475daca4f84766

    • SHA512

      483e3b0b076078843c338ae02d414e74b27b06c5e21dbca126a1851b867684565ea4a366db01867d7c3a05f8eff190af9b44faf5f79148741d8947651b144e74

    • SSDEEP

      6144:1JZj3XBjlkq27zgxRflcIjGzYwTw0FnCK55UbpPgHhrhP5nq:xzZo7cvflcI+b5ClgHh9

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks