General

  • Target

    300f3f1f1a66b1e440cbdc4efd14e2ef_JaffaCakes118

  • Size

    802KB

  • Sample

    241010-qk3mkssgjj

  • MD5

    300f3f1f1a66b1e440cbdc4efd14e2ef

  • SHA1

    8e1043d8c4b2315fba6d8a9692846f8791c22436

  • SHA256

    71609c370ed4d3d62069401d753b937faf2dc66c0003409999946f5eb1046816

  • SHA512

    a176a7f2d87f8c77b72ad484f315af203502829ddbdaa2d24fe48d656bf65b3166f2cb452067e1b0ef8b4aaa3fa7a4daf32eee65a1b434e44a438e5b1c0c452e

  • SSDEEP

    12288:tt0Q5JEq/y6INX6LRgU7e9OmunzkiL3TJjcKhX3ak0xN:/0kGq/wKgDO3QMJjcKhHaj

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.karanex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    roz%KtT3

Targets

    • Target

      300f3f1f1a66b1e440cbdc4efd14e2ef_JaffaCakes118

    • Size

      802KB

    • MD5

      300f3f1f1a66b1e440cbdc4efd14e2ef

    • SHA1

      8e1043d8c4b2315fba6d8a9692846f8791c22436

    • SHA256

      71609c370ed4d3d62069401d753b937faf2dc66c0003409999946f5eb1046816

    • SHA512

      a176a7f2d87f8c77b72ad484f315af203502829ddbdaa2d24fe48d656bf65b3166f2cb452067e1b0ef8b4aaa3fa7a4daf32eee65a1b434e44a438e5b1c0c452e

    • SSDEEP

      12288:tt0Q5JEq/y6INX6LRgU7e9OmunzkiL3TJjcKhX3ak0xN:/0kGq/wKgDO3QMJjcKhHaj

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Modifies WinLogon for persistence

    • AgentTesla payload

    • System Binary Proxy Execution: InstallUtil

      Abuse InstallUtil to proxy execution of malicious code.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks