General

  • Target

    e2ca6cf4652db006b200d39176a41ae8_JaffaCakes118

  • Size

    1020KB

  • Sample

    240915-srtdla1bjk

  • MD5

    e2ca6cf4652db006b200d39176a41ae8

  • SHA1

    5cce128cdcc5348ff3a9d8296407a4bfa0d96c54

  • SHA256

    4a604a1400c389ddbd23c6f316bcd77ea820f3a00eab459678a39847ebbc82a6

  • SHA512

    2123a47651398688ca69c5c3261be43aec782aa107978fa2937d63ba5483c58602a7d9f059b720d52a8f2016a94b695ab7c1578400157b90184a8f90fe1a443e

  • SSDEEP

    6144:pZm49UNNMYc+5TdyfZjx1WWiOXbSHtBt3pt7MTa:n9VA5TuZjx1WeGBt3/

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.ereglitso.org.tr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    =itbvqD+KGPp

Targets

    • Target

      Scanned copy invoice.exe

    • Size

      429KB

    • MD5

      2bffa0ee481c114fbae3dd11de379253

    • SHA1

      32192f93fa6650bfc4eb01c0a2731c6fcc3050c3

    • SHA256

      5e8cf7376d24c9637309a847c15ca2fc080d016d91b656dd8adc61f3d7d71abc

    • SHA512

      1d1d74155b7ce5efab02e5fbc6f913daac6afe2645880feb70a65d0dfa47508e514f6ba52d059911f4a330bf99f30e6f1a1f7844f53a1b2468568f8c05817a7b

    • SSDEEP

      6144:DZm49UNNMYc+5TdyfZjx1WWiOXbSHtBt3pt7MTa:19VA5TuZjx1WeGBt3/

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • System Binary Proxy Execution: InstallUtil

      Abuse InstallUtil to proxy execution of malicious code.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks