General

  • Target

    VKvpYL0wrWsqMCq.exe

  • Size

    419KB

  • Sample

    200629-7aelp91crn

  • MD5

    13d7cd097e93151b14f1b026415aca5b

  • SHA1

    555054495c743716c039343be8787a839eae919e

  • SHA256

    dac16914e3eef447d6e540c6296c4a93085367f26709c5707aecfa1e37910fbf

  • SHA512

    d06df718a230eec19735f1dda83239a76c43e372778667fe4fdcbc9bb491dc65144241bdcab681cd059109785407add7392b18a279993231a231b404c3bce2b4

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.mehatinfo.com
  • Port:
    587
  • Username:
    10343@mehatinfo.com
  • Password:
    %tX~,JZfRhAe

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.mehatinfo.com
  • Port:
    587
  • Username:
    10343@mehatinfo.com
  • Password:
    %tX~,JZfRhAe

Targets

    • Target

      VKvpYL0wrWsqMCq.exe

    • Size

      419KB

    • MD5

      13d7cd097e93151b14f1b026415aca5b

    • SHA1

      555054495c743716c039343be8787a839eae919e

    • SHA256

      dac16914e3eef447d6e540c6296c4a93085367f26709c5707aecfa1e37910fbf

    • SHA512

      d06df718a230eec19735f1dda83239a76c43e372778667fe4fdcbc9bb491dc65144241bdcab681cd059109785407add7392b18a279993231a231b404c3bce2b4

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Tasks