General

  • Target

    swift 000394893903_06-30-2020.exe

  • Size

    447KB

  • Sample

    200630-btafsa7qpx

  • MD5

    6f91140fa0d68de6d62259cba6589a8e

  • SHA1

    255bfe754cd1ae48f374d073f97fc1499edc0ec2

  • SHA256

    5e75bcc407b1263e3d3d72f2262d16a48b456103c9078eeff72159c29800eaf9

  • SHA512

    4143779ff0576e7996b49f0cf54746fdccdbc2022e9179a20b5b95d884c3d66af0b9c0b27d5ea6f8b39c99701eba501edc0c40bb8a3ba316de026356b0108310

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.protege.com.mx
  • Port:
    587
  • Username:
    veronica.serrato@protege.com.mx
  • Password:
    se*-V

Targets

    • Target

      swift 000394893903_06-30-2020.exe

    • Size

      447KB

    • MD5

      6f91140fa0d68de6d62259cba6589a8e

    • SHA1

      255bfe754cd1ae48f374d073f97fc1499edc0ec2

    • SHA256

      5e75bcc407b1263e3d3d72f2262d16a48b456103c9078eeff72159c29800eaf9

    • SHA512

      4143779ff0576e7996b49f0cf54746fdccdbc2022e9179a20b5b95d884c3d66af0b9c0b27d5ea6f8b39c99701eba501edc0c40bb8a3ba316de026356b0108310

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

3
T1005

Tasks