General
-
Target
fd36db21456aafdae8dc95a277ad18ec_JaffaCakes118
-
Size
702KB
-
Sample
240928-1q7htsxfnp
-
MD5
fd36db21456aafdae8dc95a277ad18ec
-
SHA1
ba0a9a57bd3a1cbea7f320a6edac305aa7bb445e
-
SHA256
98b652dc6e95499c80aa4206ee28746dc3246470ea2a9ac4bd5f7222c73855c7
-
SHA512
3b351ee1d3f7d5be5ea6df0e903dad1cff9a9be373394c5d6f80683254eed920746fc6ace6218852bdfe1c4fe36d63f4d21fbf4d7409445f31fe9d1a45234556
-
SSDEEP
12288:f8YcbH5vGk0afqe36YGhCzjoEBQ2rqz9PzXh5N3GSIQdrJr/G3ie7CDCo:E3vuafqeqZmjpBQ/V5N3pQSSo
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.shirdilog.com - Port:
587 - Username:
[email protected] - Password:
SL094521
Extracted
Protocol: smtp- Host:
smtp.shirdilog.com - Port:
587 - Username:
[email protected] - Password:
SL094521
Targets
-
-
Target
Outstanding Invoices.exe
-
Size
755KB
-
MD5
8535be06fe3da04495faaffaf0212462
-
SHA1
b7df2c69caaffc15c9750c37dd81b7d4912684ab
-
SHA256
defbf133c9e7d72102fde035e692158815cf0312c4f96535777e7bbeecd3a796
-
SHA512
9fcaf27b08e89f90a21f3d38bf96f570c11892c23c68fc6a2cfce68f92216f1b024b70d5cd3333d789fcc32583f21e21ca301e389c97ffaae4aa5728829d92b4
-
SSDEEP
12288:tmgb/7vGkeafY+56Yot8zpoEHQmNqzXJZNhjN16U22d97rHcRiK1CDN3/YMYo9WO:tlvQafY+MdAppHQ1jjN1TS0
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies Windows Defender Real-time Protection settings
-
AgentTesla payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Windows security modification
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1