General

  • Target

    859013972d88cd1a9c225d1e945d7d4e_JaffaCakes118

  • Size

    720KB

  • Sample

    241102-p8vffavcqg

  • MD5

    859013972d88cd1a9c225d1e945d7d4e

  • SHA1

    45f53c6dbed5fbc10f8dafc5a87a2edb6a68d566

  • SHA256

    057883d711c8709cf98df054b86aa9f4e9ed0dc0b82ce31333f7577da3e708f6

  • SHA512

    9836c2109ea0cf0e066b389e3ff8d365d6d5a0a19c3843cd5b45354d3b5fb99991e4b9cadaa21120f18c16d9ea83869f06b74e719d86f296f3e0214576db022f

  • SSDEEP

    12288:F0VB/FiE7xQQioQtWDfZlDHuWXN42j5+7faor/bE3:IB7xQ1ok4tu2NDwz

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.ratllc.ae
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    MGRRATnowzathALI@RATdxbDXBAgro786

Targets

    • Target

      859013972d88cd1a9c225d1e945d7d4e_JaffaCakes118

    • Size

      720KB

    • MD5

      859013972d88cd1a9c225d1e945d7d4e

    • SHA1

      45f53c6dbed5fbc10f8dafc5a87a2edb6a68d566

    • SHA256

      057883d711c8709cf98df054b86aa9f4e9ed0dc0b82ce31333f7577da3e708f6

    • SHA512

      9836c2109ea0cf0e066b389e3ff8d365d6d5a0a19c3843cd5b45354d3b5fb99991e4b9cadaa21120f18c16d9ea83869f06b74e719d86f296f3e0214576db022f

    • SSDEEP

      12288:F0VB/FiE7xQQioQtWDfZlDHuWXN42j5+7faor/bE3:IB7xQ1ok4tu2NDwz

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • AgentTesla payload

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks