General

  • Target

    e2d78887a2f8635e4ea5dd767fd3ac88_JaffaCakes118

  • Size

    492KB

  • Sample

    240915-s98k8s1dkc

  • MD5

    e2d78887a2f8635e4ea5dd767fd3ac88

  • SHA1

    e8c6a218ea38f27ef8c15df38360dccc554a3de1

  • SHA256

    ef88496bd2bebc8225e15f3caa105b7c7f0c9a004ee41c83423ac99bfb9a9ef7

  • SHA512

    68296d8bc286f46c770057c591cf3816c57a480eaca17f26d13d250f7287a7d1518f12211d98f087024ce4b3bdb608d06990915ddd97d4d0e80607f5902591e4

  • SSDEEP

    12288:/+aJZvzhDSVdRIU8bo/hvDVjTuagVpkXonJ5rXkujsSr7:/+SzhDSVdqbo/Gangr0uISr7

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.desmaindian.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    (*IlJex6

Targets

    • Target

      g9.exe

    • Size

      977KB

    • MD5

      c572b5b67f1b0f70d7616358e29fbf1b

    • SHA1

      239bdec12f8a2a3e7004a4ea0aae11a28c6c9d26

    • SHA256

      f57d9f56d91abf4cfcd4eceec70dec81a629e9547469a775d1740b3f97175ec9

    • SHA512

      a356c2c0293e0e5a87e2695f5583c3c7d315704dd84e81775eb77a67f88c2ba643df7de9bf9861e3c33c7c2794806be596edb2983fe87304a161ec67090cfa78

    • SSDEEP

      24576:nnLZiPt42JIudVwFZbZeKRg8yXjdXc1f0aVnf:lilqWVEbZ3yXjOykf

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Drops startup file

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks