General

  • Target

    de08e3b7b2f192d2a42d06bd030128ee_JaffaCakes118

  • Size

    415KB

  • Sample

    240913-j6wylatank

  • MD5

    de08e3b7b2f192d2a42d06bd030128ee

  • SHA1

    7a0d5988e848127f523ff9f4247425320fbbb993

  • SHA256

    661dfc3a33769e60554a0ee692f200858c07b685ee588ec69839bd5dad8b502a

  • SHA512

    70ffd2d361a14618414d1a99311412e49f13e2af3d98e08240b726eacd0f4279e51a6cd91c95ca926b87f705ab29a097da63aafae0cf79739a45fc8a2fae6b66

  • SSDEEP

    12288:HJ7JBvWDJD7M/03eALLcQRGkbhBSiIecEt:H/1wpR3eAnPki5

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    bubuyaya007

Targets

    • Target

      de08e3b7b2f192d2a42d06bd030128ee_JaffaCakes118

    • Size

      415KB

    • MD5

      de08e3b7b2f192d2a42d06bd030128ee

    • SHA1

      7a0d5988e848127f523ff9f4247425320fbbb993

    • SHA256

      661dfc3a33769e60554a0ee692f200858c07b685ee588ec69839bd5dad8b502a

    • SHA512

      70ffd2d361a14618414d1a99311412e49f13e2af3d98e08240b726eacd0f4279e51a6cd91c95ca926b87f705ab29a097da63aafae0cf79739a45fc8a2fae6b66

    • SSDEEP

      12288:HJ7JBvWDJD7M/03eALLcQRGkbhBSiIecEt:H/1wpR3eAnPki5

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks