General

  • Target

    85e1cbc865c80128948f58456a93cf8b_JaffaCakes118

  • Size

    748KB

  • Sample

    241102-rmmvkswflb

  • MD5

    85e1cbc865c80128948f58456a93cf8b

  • SHA1

    a728afca187dcbf4d9f595290f9ff51f132a3ab7

  • SHA256

    2fb30d715f1941f9d1db89cea4fdbf8cbc2ee8c5688a7d4d932f703b459f633f

  • SHA512

    5a63b5a48092624ade7f583c2ef1e6100b5bee3f01103e4f6b7410d2a9d44719494d7afaad9de2c5496beb61ee20864164872656fbca7c711d5c7ba07d8cd1b9

  • SSDEEP

    12288:B1qXMR9EqnwRg7hm6rYj53MWjUnM/xtXdmcVrzPke2gfIQFT19uCQsHqAPMeNST/:B1tRZmP6UJDtX4cFPOkIex9kCMee/

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    webmail.almasroor.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    042264528

Targets

    • Target

      Payment proof.exe

    • Size

      898KB

    • MD5

      d4ab2082f217f9e476b90ae6c4cda32b

    • SHA1

      1d3f6bac27179b7edb2fa2ac65c92225e29b2008

    • SHA256

      8e21b25da6d1e6d4105e3099fbef0c3fc7d880bb79ed3a09b5b7361255475955

    • SHA512

      506dcecb01f3b8c034fbdffc4e469acd190919f2cbc143315ae358bdffe4fe6e9a03d17da9ba8f79e16e142e678351d6491cf52dd91f27290267cad33dc2aa1e

    • SSDEEP

      12288:FNzWcHK7zYheEqnwdS7hc6rYjN9MWjUn+/xv3dmSVh/vI0YkDKwLDN9ueQSlEEPK:rzmXEN6U7Bv34SPvyKKih9SqKe

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • AgentTesla payload

    • Drops file in Drivers directory

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks