General

  • Target

    e517d3374e1aebd16ba127c07d690319_JaffaCakes118

  • Size

    499KB

  • Sample

    240916-s8x34swbqg

  • MD5

    e517d3374e1aebd16ba127c07d690319

  • SHA1

    1b4d8a8c6426b1383f317451bb9e8ede25a92765

  • SHA256

    5d686ec9f4a6538677095df0d83620d6d04b38e5a84ec5452879786418ce61ea

  • SHA512

    b34ac979e56ef23c65370745b4c93a4c18c8740b055968271407d47b03f34974a75c2fcd2ad4661da0b239d36809ffb482b479a5c2d4b941f4c1ef8fcf2d3f2d

  • SSDEEP

    6144:msTQHucP6eP9IcwdSKU/4LyQZaBkiVJic5HTdhGu5r4D3oicqQHf6nTDbMsBLLPY:mskHjP6eP95tg+qaqiVJi2zbDSYiIfya

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.bankee-ph.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    L%cUXmv3

Targets

    • Target

      e517d3374e1aebd16ba127c07d690319_JaffaCakes118

    • Size

      499KB

    • MD5

      e517d3374e1aebd16ba127c07d690319

    • SHA1

      1b4d8a8c6426b1383f317451bb9e8ede25a92765

    • SHA256

      5d686ec9f4a6538677095df0d83620d6d04b38e5a84ec5452879786418ce61ea

    • SHA512

      b34ac979e56ef23c65370745b4c93a4c18c8740b055968271407d47b03f34974a75c2fcd2ad4661da0b239d36809ffb482b479a5c2d4b941f4c1ef8fcf2d3f2d

    • SSDEEP

      6144:msTQHucP6eP9IcwdSKU/4LyQZaBkiVJic5HTdhGu5r4D3oicqQHf6nTDbMsBLLPY:mskHjP6eP95tg+qaqiVJi2zbDSYiIfya

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks