General

  • Target

    JaffaCakes118_92f0f26b5ab4993993a4c4139638505e3c3e37aa706797e79ea7eaf507e096e3

  • Size

    618KB

  • Sample

    241222-zj71caypcr

  • MD5

    53deb232143c32fcd799d0245213b240

  • SHA1

    b92fc7914a8e26b15413ac9e1aef2c6d0764c258

  • SHA256

    92f0f26b5ab4993993a4c4139638505e3c3e37aa706797e79ea7eaf507e096e3

  • SHA512

    2dfe5040b2c248674a7485afe9ad299ed8c6825e8f4e0cf411ab64c8e2ef83d908e7c354494fb4bbe3dbfbbf1c3922495b5bdc4d968d474c6251426184ecb899

  • SSDEEP

    12288:3J5cI8cqYSaD7ARSTYaX+9xYPUOgjvbehVM3+Ih+Kvh3iN8Y:3KaIiTJs7vhSj

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.madobayi.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    cdd756

Targets

    • Target

      e19b5109b7d4ecd4f5110fec0f74dd8ff3f36a09392df654b7800ec641d0e237

    • Size

      893KB

    • MD5

      286b3255bc30021a7f26606543ccd203

    • SHA1

      e43e1ff0e76993fa6e32356505f652563f1a4edd

    • SHA256

      e19b5109b7d4ecd4f5110fec0f74dd8ff3f36a09392df654b7800ec641d0e237

    • SHA512

      f4c4f7842a979e638318ae272c082adac73dd50405aa5d81da6254cc7e03cddd62ed2a4dd79e24ef7d92f06514f31d3dec32c45174a6ccd6a6f5f55f62462300

    • SSDEEP

      12288:5JZJN09qWj1LuR6EcyO0+Y0b9hiC3F7hcij6e8fUUDTvQamxDe96H+sJFlM0yZ:fZJN0HjBh6x29QC3gij6XUwse9a5Jg

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks