General

  • Target

    New Order.exe

  • Size

    449KB

  • Sample

    200630-sk4mbdeanj

  • MD5

    f5c7f1297ac03ef6c07d57a919388969

  • SHA1

    01bc800f04e4cd2febfd85024e50543297d43a56

  • SHA256

    534b616da9a48f2d2b2c28f3ee28c17e574479a9ec9d1c3182ba40daccdaca76

  • SHA512

    a78e64e6e7ec4e371759e42c35dfa6656e768873e59187ebe8763e1ea9debb020da869ed17bae71c0e3a7948452a4e37d996165f47739f0d89e555f3eadac669

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    eljefe09@yandex.ru
  • Password:
    Pussy12345

Targets

    • Target

      New Order.exe

    • Size

      449KB

    • MD5

      f5c7f1297ac03ef6c07d57a919388969

    • SHA1

      01bc800f04e4cd2febfd85024e50543297d43a56

    • SHA256

      534b616da9a48f2d2b2c28f3ee28c17e574479a9ec9d1c3182ba40daccdaca76

    • SHA512

      a78e64e6e7ec4e371759e42c35dfa6656e768873e59187ebe8763e1ea9debb020da869ed17bae71c0e3a7948452a4e37d996165f47739f0d89e555f3eadac669

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

3
T1005

Tasks