General
-
Target
e11f1e6bd79d5e12885434dcfd703ae3_JaffaCakes118
-
Size
3.7MB
-
Sample
240914-1vk6dsyemq
-
MD5
e11f1e6bd79d5e12885434dcfd703ae3
-
SHA1
dffa2772b1f9edf18586d70fe83716a032634570
-
SHA256
371f46d6159d5fcba2d1531a470938fcd195840aeaf1147ec894407a7387431d
-
SHA512
05db661decea32032a418e185a9bece0cb1ee6e06e23e7b0cbcd54798c387b3e2ce800c31b5a947570fcd14d63478a2eb862e60060700a7c6f534c6135a2d0f5
-
SSDEEP
49152:+UJ6ZNXox4SgJhBsfHJq/nCFT4Mv0Pt97NfY7+k5K1fyqv+ih69:+tR4xGnCtvwNSK1aqv+4M
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
[email protected] - Password:
Godwin@1234
Targets
-
-
Target
e11f1e6bd79d5e12885434dcfd703ae3_JaffaCakes118
-
Size
3.7MB
-
MD5
e11f1e6bd79d5e12885434dcfd703ae3
-
SHA1
dffa2772b1f9edf18586d70fe83716a032634570
-
SHA256
371f46d6159d5fcba2d1531a470938fcd195840aeaf1147ec894407a7387431d
-
SHA512
05db661decea32032a418e185a9bece0cb1ee6e06e23e7b0cbcd54798c387b3e2ce800c31b5a947570fcd14d63478a2eb862e60060700a7c6f534c6135a2d0f5
-
SSDEEP
49152:+UJ6ZNXox4SgJhBsfHJq/nCFT4Mv0Pt97NfY7+k5K1fyqv+ih69:+tR4xGnCtvwNSK1aqv+4M
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
UAC bypass
-
AgentTesla payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1