General

  • Target

    e6abae726fe1c201ac4ff243ebba5e82_JaffaCakes118

  • Size

    387KB

  • Sample

    240917-m2s8payhmd

  • MD5

    e6abae726fe1c201ac4ff243ebba5e82

  • SHA1

    80f597cbabfc6c820c80547b949ac3d2cbc31c8b

  • SHA256

    f3ea50efcd18af6f89a15f83213bd535965ab73d47806d3869a6a91d4ad2f4ae

  • SHA512

    c8194b8bff9c0d4dc46eb925081313ac967e47bf5ecc645674b8e29b5bd72247163383a73b1e1c3353b106849fadbffcdc0f52a843f9118dc9908165b4934bec

  • SSDEEP

    12288:vq6+SStkMHhMaayKyRcpxfUBnZzT8sG7wzmH:vquSt/BM7WcpxMd8T7wiH

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    sg2plcpnl0023.prod.sin2.secureserver.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    User@40378

Targets

    • Target

      sale order.exe

    • Size

      607KB

    • MD5

      21401a802f9f8e99809f43fc149ef5af

    • SHA1

      0ec95019dd88f12ecb11d143cc34049b04e69b8d

    • SHA256

      b0f1177e33f69f0f6027cea30afd8b094efe3fe6b26e2ea3d927d4447b11626e

    • SHA512

      ed86c15efb4c39eb46d7b2246ee974664a041c35e4bda5237702a7ad316ebb3fbbb756b3fee7e726802aa5ea34316ed913503564cb1a56c1de8f99f97b89d4c2

    • SSDEEP

      6144:7RtFgERQ+3HwOzyUHKSJxJwSPhvw1MFHSxcmmmaNLO0PXmY2jnOusTqGPnds43wi:72ESo2sJ95cMkmNBOSWVOjqSs43V

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Drops file in Drivers directory

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks