General

  • Target

    INVOICE copy.pdf.exe

  • Size

    689KB

  • Sample

    200630-l64c456h6n

  • MD5

    5f6d5bc9d3eb49159c86ad34d9d56630

  • SHA1

    6ca254c29159461ec8b0102c7a830656729b1989

  • SHA256

    3ebf463f9b7164a3e4ebcbac495f7fe23b2dbe7f18a7ebc2c0ee55fb4b651c83

  • SHA512

    da82a06d2d2351f0a5f11b5a326db73110a713b231521449074906602ca12bfd6e2641ffb345a7351e9b1a6dfc95997ce995a4368a2fe351f602e3cc0d9878d0

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    chinapeace@yandex.com
  • Password:
    chibuikelightwork1

Targets

    • Target

      INVOICE copy.pdf.exe

    • Size

      689KB

    • MD5

      5f6d5bc9d3eb49159c86ad34d9d56630

    • SHA1

      6ca254c29159461ec8b0102c7a830656729b1989

    • SHA256

      3ebf463f9b7164a3e4ebcbac495f7fe23b2dbe7f18a7ebc2c0ee55fb4b651c83

    • SHA512

      da82a06d2d2351f0a5f11b5a326db73110a713b231521449074906602ca12bfd6e2641ffb345a7351e9b1a6dfc95997ce995a4368a2fe351f602e3cc0d9878d0

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Tasks