General

  • Target

    fa8a727c5c81364a6e4f405965f7a516_JaffaCakes118

  • Size

    770KB

  • Sample

    240927-rdgbfayclc

  • MD5

    fa8a727c5c81364a6e4f405965f7a516

  • SHA1

    eda6ceba474fc409c008c7311b26e5514c988c34

  • SHA256

    1c06a29a4078bc203b0b31f8736940cbd58adb8934128147bd454c87902cb0de

  • SHA512

    2b332c908f751a243c4f37992fed27459785ed41b6a930a4f51688fcd9455871c4ca180b8e2f653a3925a4e0fac6b640871bc865ab0b4429cfc2724c7d9723e2

  • SSDEEP

    12288:m3APyh5OSbu8O+8EnUEQQwVXMtDr+erO52JPqevkATp2pYiGG5TCNVEvHIDWbzPD:q5Lr4rOX5upAQZZ

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    memesking67

Targets

    • Target

      fa8a727c5c81364a6e4f405965f7a516_JaffaCakes118

    • Size

      770KB

    • MD5

      fa8a727c5c81364a6e4f405965f7a516

    • SHA1

      eda6ceba474fc409c008c7311b26e5514c988c34

    • SHA256

      1c06a29a4078bc203b0b31f8736940cbd58adb8934128147bd454c87902cb0de

    • SHA512

      2b332c908f751a243c4f37992fed27459785ed41b6a930a4f51688fcd9455871c4ca180b8e2f653a3925a4e0fac6b640871bc865ab0b4429cfc2724c7d9723e2

    • SSDEEP

      12288:m3APyh5OSbu8O+8EnUEQQwVXMtDr+erO52JPqevkATp2pYiGG5TCNVEvHIDWbzPD:q5Lr4rOX5upAQZZ

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks