General

  • Target

    8c5abfbafa1f89f3b185991f8034e512_JaffaCakes118

  • Size

    955KB

  • Sample

    241103-tqmp4a1mak

  • MD5

    8c5abfbafa1f89f3b185991f8034e512

  • SHA1

    5828921401d69e1c9bf722a8be72336cb4ee8747

  • SHA256

    6446aa9e6d05fbf19b8458e5ee6d3f10f9eb5a874c98290712aa7453737b7a8c

  • SHA512

    9e4adbbf00a9c29a253031030824aef5e78e6bea8c5c8564c5284d2f8ea4a3ebafcff82fd1f2f2a09693231db1fb9828d9442e7e84e7605503470ea84b60b913

  • SSDEEP

    24576:3YJSji6urlYEkG5p40JH1O3PSyQrG1iSaWpySbFh3XSjHnHE:3QHM/S5rYXpyS5h3ijE

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.tanttec.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    fJ#kxSi1

Targets

    • Target

      8c5abfbafa1f89f3b185991f8034e512_JaffaCakes118

    • Size

      955KB

    • MD5

      8c5abfbafa1f89f3b185991f8034e512

    • SHA1

      5828921401d69e1c9bf722a8be72336cb4ee8747

    • SHA256

      6446aa9e6d05fbf19b8458e5ee6d3f10f9eb5a874c98290712aa7453737b7a8c

    • SHA512

      9e4adbbf00a9c29a253031030824aef5e78e6bea8c5c8564c5284d2f8ea4a3ebafcff82fd1f2f2a09693231db1fb9828d9442e7e84e7605503470ea84b60b913

    • SSDEEP

      24576:3YJSji6urlYEkG5p40JH1O3PSyQrG1iSaWpySbFh3XSjHnHE:3QHM/S5rYXpyS5h3ijE

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • AgentTesla payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks