General
-
Target
f5b78c1bc71db6fccaedaefaec4b2f25_JaffaCakes118
-
Size
1.3MB
-
Sample
240925-lkpcqs1dnh
-
MD5
f5b78c1bc71db6fccaedaefaec4b2f25
-
SHA1
8c27776f2b9a2e9d79c7d8d0f2b66e40b2d8fa44
-
SHA256
037a3de09b05bc7a9de39f068e8e5848827040b731a6d5baab940217067a2a29
-
SHA512
828e4203e387e94a124a5f9a819be5bdd25819e7a6e6907b3bb105ca87f4d1b9aee4843e676e5782ce97d60f78830d8ca841e052d1cfc922221598dcd7911be0
-
SSDEEP
12288:8Gk++rOJoWiZTwUE9bRL8GsaezeXIfr05mS3O1r5:8lRrOJoTZT2b1TfyeYMb8
Malware Config
Targets
-
-
Target
Payment Released (Wire).exe
-
Size
776KB
-
MD5
90aa5bab4b53aba795091ca192fcc86b
-
SHA1
2eeb67624567ab532e827fc7a0947053d8b14184
-
SHA256
7d3b3cf7f9e17c1749c2f1fd4e8c2d15749657c6442574ca0b0e5f4ee5babbc1
-
SHA512
394faa1db0b35a3424a90d3f2bb8399d93fd57c0c1a5fc91345bf5c404b60980fae6587764e2eabce35c243d9198ac7e0aeca0346e8da0a667759526726c6dfa
-
SSDEEP
12288:1Gk++rOJoWiZTwUE9bRL8GsaezeXIfr05mS3O1r5:1lRrOJoTZT2b1TfyeYMb8
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1