General
-
Target
f577b36893bacfb7ca4bb86f120e4539_JaffaCakes118
-
Size
712KB
-
Sample
240925-hy29zasapj
-
MD5
f577b36893bacfb7ca4bb86f120e4539
-
SHA1
7f7590f366a152855c0674b0c31fb76296298e2c
-
SHA256
eb13bbf89dde5a3876a66aac08acf362b86adb97b2c6fd08f394f7088a4c2b11
-
SHA512
39ad9d8d780c6d99d8de1067d4080dfec5683b5120c92235e5f4372d588cceb5442625dd5177572a06caae9da039483c30ea207454433a5ba9ad7d8016e14b15
-
SSDEEP
12288:w9wGPs+rp0WOYbRuNVB+qObcDUqAwA3cGt0ovde/GLVoF:w9LPr+zA0vo8D10Bt/leOJoF
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
romeovm2015
Targets
-
-
Target
Buyurtma.exe
-
Size
576KB
-
MD5
95b44c8d8b9fc5aa08c54c7e1839f346
-
SHA1
ed9e04421ed3d78fceb93d8df0eef08616cb1808
-
SHA256
f267ae557c75a40bff905fa66b8e7230f3bf58a57645cc945650bd7ecdf71d0a
-
SHA512
5b5b75554d77b99c372e8f5cfb6b4c576ae59be13d99219cad06515c12dc8d6ab704cdd55dc775218369d6fbaf1cfa00aa600a754d1859aaf7a46eaf9645d4a3
-
SSDEEP
12288:icajcXH2pvgIEzS6pCnH2MJNOh9ixMt/LIuiFyN:icaIXIvTE+6pCNkh9i6ZI7Fy
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1