General

  • Target

    f11f34f9b8d03cd0e3ad76f65b14d604_JaffaCakes118

  • Size

    612KB

  • Sample

    240922-c7ktdsycja

  • MD5

    f11f34f9b8d03cd0e3ad76f65b14d604

  • SHA1

    fe9381a4b57c295954744db12aee91e1147a38ca

  • SHA256

    7330843cc033439a7451656bdc0723f9b64f19eb8ba5da0ef4d65aa665b76d3a

  • SHA512

    1aca8259403a44c8c9408bf976a332f26b1d62760e6a14d9765e2d38a4653e2decc4edd704cec709d8364e1c06faf6489169525b9ac04bfb2fb1a621a4c80bab

  • SSDEEP

    12288:q1PLka6eiP0Q6tbFvsOELKbddpUcDXp/qGe8Sv4aXm6rz5y7:wY/sT9FkKdpnUd804ek

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.tpts4seed.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    krested123

Targets

    • Target

      f11f34f9b8d03cd0e3ad76f65b14d604_JaffaCakes118

    • Size

      612KB

    • MD5

      f11f34f9b8d03cd0e3ad76f65b14d604

    • SHA1

      fe9381a4b57c295954744db12aee91e1147a38ca

    • SHA256

      7330843cc033439a7451656bdc0723f9b64f19eb8ba5da0ef4d65aa665b76d3a

    • SHA512

      1aca8259403a44c8c9408bf976a332f26b1d62760e6a14d9765e2d38a4653e2decc4edd704cec709d8364e1c06faf6489169525b9ac04bfb2fb1a621a4c80bab

    • SSDEEP

      12288:q1PLka6eiP0Q6tbFvsOELKbddpUcDXp/qGe8Sv4aXm6rz5y7:wY/sT9FkKdpnUd804ek

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks