General

  • Target

    ba7f44b5f3e506f56d46fd9ed90571ea_JaffaCakes118

  • Size

    395KB

  • Sample

    240618-jf78yatcpb

  • MD5

    ba7f44b5f3e506f56d46fd9ed90571ea

  • SHA1

    4d31abdd8e0d0f6e06c55a03a7280f60a4dd2d93

  • SHA256

    43e315e229ebf7e78014a10aac9a2ecf2803a4b7f92fbf8eebc5fd445418e807

  • SHA512

    580a3d3dcce807512b6f2be4de65a9c5ed361112e40bdd7aaca34b880562e6c4f89ce3f9656b742cdc1e8be0676730f7e0bdad6a3687b1f196928c26bdd3a551

  • SSDEEP

    6144:DUODGI2tL75tY51lXG8z4rSi63Ie6OOpXDfokp+9SywITY/:4ODGI6L7o5Xr4r06OS+9iIY

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.hovventech.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    vkNKQ*t6

Targets

    • Target

      order_filter.pdf.exe

    • Size

      468KB

    • MD5

      d274810bf907e0ce7fd27dc2dad22b39

    • SHA1

      4c9373f2bea4dfddb57cebbe4a2a5bdf38d409f5

    • SHA256

      c2b44b87549e6b32d9693351bcb48781100e91f1d86ea77c05d85f90b8698a6a

    • SHA512

      b1faabae7c92e4daa0a0c6487b27521e247457189831774aaeafa3774575974fe9fbcb458f5b384fa4320f910a31361ce6b191e34f219ab54abca77cbddc27d3

    • SSDEEP

      6144:ib1/tSrYrju+7ntYX1B/G834r+U634eu+mpd/7oqh+HSyaITjh:ib1LL723//4r8u+O+HAI/h

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks