General

  • Target

    shipping invoice.doc.exe

  • Size

    441KB

  • Sample

    200629-y1ygjtcx3n

  • MD5

    ee64f2d88f5682ab1b3d6421d1690499

  • SHA1

    58959ee327e04f06316c9377b381f47927fa5b24

  • SHA256

    4464e1f0a9cd4c97b7d96d68f74cd59c4e5dae1d0a4f5cf5ef5c2a1450ee473f

  • SHA512

    1bd1e111b4df0dd30ead2f0f019a0d0f14c697fa64b77684d398dbb373ac1cda685a2fbb12dfc2f286b1ce0c81dbfdae7ee859ca4e108d03186e928d39a7c381

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    infokingking88@yandex.ru
  • Password:
    kingmoney12345

Targets

    • Target

      shipping invoice.doc.exe

    • Size

      441KB

    • MD5

      ee64f2d88f5682ab1b3d6421d1690499

    • SHA1

      58959ee327e04f06316c9377b381f47927fa5b24

    • SHA256

      4464e1f0a9cd4c97b7d96d68f74cd59c4e5dae1d0a4f5cf5ef5c2a1450ee473f

    • SHA512

      1bd1e111b4df0dd30ead2f0f019a0d0f14c697fa64b77684d398dbb373ac1cda685a2fbb12dfc2f286b1ce0c81dbfdae7ee859ca4e108d03186e928d39a7c381

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Tasks