General

  • Target

    Scan copy 06-30,pdf.exe

  • Size

    652KB

  • Sample

    200630-hdb5c8bcrx

  • MD5

    7bd2515a0f9ebde930e27c0bf06e131c

  • SHA1

    3347f073c4ad2fa6b1e8d67dab4e0b620421862f

  • SHA256

    c91e8129cb25677b01b171c95df30e2d7500eb40f2c375b70aa0463564b385c5

  • SHA512

    a0143436b1d9cd9c1edc52df95531b91238b66045fc5476e928fbdaab01cfeb55569069e3d824cd8f2fc176e03ccc3b10fa843942154acda8ff948500cd91908

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    server03.imanila.ph
  • Port:
    587
  • Username:
    service@handyware.net.ph
  • Password:
    EZ5E83Pe%V-N

Targets

    • Target

      Scan copy 06-30,pdf.exe

    • Size

      652KB

    • MD5

      7bd2515a0f9ebde930e27c0bf06e131c

    • SHA1

      3347f073c4ad2fa6b1e8d67dab4e0b620421862f

    • SHA256

      c91e8129cb25677b01b171c95df30e2d7500eb40f2c375b70aa0463564b385c5

    • SHA512

      a0143436b1d9cd9c1edc52df95531b91238b66045fc5476e928fbdaab01cfeb55569069e3d824cd8f2fc176e03ccc3b10fa843942154acda8ff948500cd91908

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Tasks