General

  • Target

    f15b04a60fe78ef35e1e328b63573dcb_JaffaCakes118

  • Size

    1.5MB

  • Sample

    240922-f1vxkatcqn

  • MD5

    f15b04a60fe78ef35e1e328b63573dcb

  • SHA1

    a015733c2bf6413a8b39a9cbb6b73db6014e75e9

  • SHA256

    e5d423a6616b9ced30a4d93f6f253f6000f5f2730266c8da2cd12e59d05f4ea0

  • SHA512

    148c58d077475904621e243285ce4ddd6683f742e720b15f41b7fbd2d0f9afb5473e90893afe8978767372dd5037624256b95897cbe35a16a8282a729ada1ced

  • SSDEEP

    24576:2u6J33O0c+JY5UZ+XC0kGso6Fa+F7SZ23I/Rt4wtADTVx0IY8EPLqrh/JphWY:Yu0c++OCvkGs9Fa+FeZKIFmDf0N8G+5r

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.generce.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    rYLGz!p8

Targets

    • Target

      f15b04a60fe78ef35e1e328b63573dcb_JaffaCakes118

    • Size

      1.5MB

    • MD5

      f15b04a60fe78ef35e1e328b63573dcb

    • SHA1

      a015733c2bf6413a8b39a9cbb6b73db6014e75e9

    • SHA256

      e5d423a6616b9ced30a4d93f6f253f6000f5f2730266c8da2cd12e59d05f4ea0

    • SHA512

      148c58d077475904621e243285ce4ddd6683f742e720b15f41b7fbd2d0f9afb5473e90893afe8978767372dd5037624256b95897cbe35a16a8282a729ada1ced

    • SSDEEP

      24576:2u6J33O0c+JY5UZ+XC0kGso6Fa+F7SZ23I/Rt4wtADTVx0IY8EPLqrh/JphWY:Yu0c++OCvkGs9Fa+FeZKIFmDf0N8G+5r

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Drops file in Drivers directory

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks