General

  • Target

    e32e0bb4ffc49aad593f7f7119a61e21_JaffaCakes118

  • Size

    419KB

  • Sample

    240915-xmtk1sxhpc

  • MD5

    e32e0bb4ffc49aad593f7f7119a61e21

  • SHA1

    9d63f7418fbba6270d67abbede59439c8836323b

  • SHA256

    d3d05e0a1f06d4ea96b83681286dc9f230a4bcb82a9ae4fc9bb61dc20725e207

  • SHA512

    9aa918249941f9bfa521306cf63b977f838e84857f99a7760ad5596b40085ef188c1010ae0cc8b30e56dc9688d1f764ef64929d4d997b8b9ec5fd416e63e0590

  • SSDEEP

    6144:TVwhlqlUtcPr78hefiw8FqVvIG87tSqYWrZHUg58hMTFcygeF/7qv5yhflKj:BwHqlUth4aw8099ctSqNUOSyPWWE

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.bulletlogistics.in
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    o&0}lBFN8a7v

Targets

    • Target

      New P.O 00076855.exe

    • Size

      429KB

    • MD5

      157bab4816b04ac920b174a76e54befd

    • SHA1

      c7e1396c45839ac565b66152e4eee666239f7b90

    • SHA256

      31bb52b28ff0c3c8aebce5ed265a1463e934d089030c38dc88d94ecb11cad660

    • SHA512

      6a6093b80dbce529e8a2d2f0dc7d1fe1f7e3167a0bba08661b016646819a283f4313699ed955a0620301d0954b00a7a5c4ae6e58798bc508a7474d1e0761686a

    • SSDEEP

      12288:QLdpoLWMr2QW3Y9XQPsNjDAm0+focuBJ0m1gss:QTyWMrzWo6gDT0l1XGss

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks