General

  • Target

    200004396.exe

  • Size

    399KB

  • Sample

    200630-qgm5gp9zmx

  • MD5

    7e90e5f5106e876f9f080b224cbc069d

  • SHA1

    8e52b1163bcc86538aa8beb66166cba9c1ee426c

  • SHA256

    7ac2dee76520e25a21918a6ee79eedaf1a9de51aaee643d21d9cf6346451555e

  • SHA512

    4f60c309c6abb4757b68261736a4ab0eb14252316ee673e872080c323a89be6761139b0e95fdafdc8eb05e14a99aa74d21c735a35182f808fcb76f3eb12f2d0f

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    f.grac3@yandex.ru
  • Password:
    HYBRID@@@

Targets

    • Target

      200004396.exe

    • Size

      399KB

    • MD5

      7e90e5f5106e876f9f080b224cbc069d

    • SHA1

      8e52b1163bcc86538aa8beb66166cba9c1ee426c

    • SHA256

      7ac2dee76520e25a21918a6ee79eedaf1a9de51aaee643d21d9cf6346451555e

    • SHA512

      4f60c309c6abb4757b68261736a4ab0eb14252316ee673e872080c323a89be6761139b0e95fdafdc8eb05e14a99aa74d21c735a35182f808fcb76f3eb12f2d0f

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

3
T1005

Tasks