General

  • Target

    Payment Notification.exe

  • Size

    609KB

  • Sample

    200630-hsz9ekykts

  • MD5

    cf0e7eab0b481b19ddae9e91da7f33bf

  • SHA1

    6cdb55e9de8e6ff1f5908ecdfe9acf78e6f9f507

  • SHA256

    97877280bba9500fb1cb5d466a66337ff281c278339b089bcb661bbb342adcf1

  • SHA512

    94f3e513878bd66e7d52bf34b6089ba5ed3fce558fcf154a29023f3b447d9b1d75db51edf0bb01970a1d25ed7ce1cc11fd210af9f567559292cc379fc95290ec

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    logsdetails0@yandex.com
  • Password:
    Hunter$#@145722

Targets

    • Target

      Payment Notification.exe

    • Size

      609KB

    • MD5

      cf0e7eab0b481b19ddae9e91da7f33bf

    • SHA1

      6cdb55e9de8e6ff1f5908ecdfe9acf78e6f9f507

    • SHA256

      97877280bba9500fb1cb5d466a66337ff281c278339b089bcb661bbb342adcf1

    • SHA512

      94f3e513878bd66e7d52bf34b6089ba5ed3fce558fcf154a29023f3b447d9b1d75db51edf0bb01970a1d25ed7ce1cc11fd210af9f567559292cc379fc95290ec

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Tasks