General
-
Target
dfcf3dc44676f51e3ebc126cdb7f5e12_JaffaCakes118
-
Size
368KB
-
Sample
240914-j78zjsvanj
-
MD5
dfcf3dc44676f51e3ebc126cdb7f5e12
-
SHA1
a225961801d1fc19ca04249f1aaad244e217532d
-
SHA256
b50a0633963a8ae9cfd05db3af16c16584c55d707a5dac3633cb5318fca4b6d2
-
SHA512
e7ffa923b40d977feda0b4c18cbef2ee58a325efb2dd8eaa769eea0fa91b57975a8d9cf381e795b9e8348a82574a519aea84b6108b6310a6ac31dad2210afcb5
-
SSDEEP
6144:XN7KSt9fM5zqMn8pX14YqNO8xZcMP4BnoCf3bKMhxwbKNKXAijI6JAGK9SXeA:XN7Xt9f4qM8rb8DHPxCf3/PGKNKQcI6f
Static task
static1
Behavioral task
behavioral1
Sample
proforma invoice.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
proforma invoice.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
business41.web-hosting.com - Port:
587 - Username:
[email protected] - Password:
london1759
Extracted
Protocol: smtp- Host:
business41.web-hosting.com - Port:
587 - Username:
[email protected] - Password:
london1759
Targets
-
-
Target
proforma invoice.exe
-
Size
474KB
-
MD5
b79c749616e332aa98dff35091bc7ddb
-
SHA1
e853d7048efcef7e7c8259e92000d8efca9b66af
-
SHA256
c9b3d6a92282d003ae960076c147e224c8064fd98229c96df353948dc685237b
-
SHA512
156b627138e939abd3b5432783643502d021fcdd0b805380c4f8ce406aa16b06f9b2f09edb62865378c454197cb9f6c9747ec6803078f1fbc2b5935047589ad3
-
SSDEEP
12288:LDuUPu3qK0V5f5f5fGRRv5Bt9fcqg8ZVGD9PfCp3pP+KNOQgIMXKy5xU:nuiZZGRRfZkUtV+xf6y
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1