General

  • Target

    BL draft FORM_xls.exe

  • Size

    762KB

  • Sample

    200731-rqfye2rg6n

  • MD5

    99996216855c81d9cc40d112468cfc26

  • SHA1

    76e36c04c6fc6fd81a35b777df3f7c24feae524a

  • SHA256

    7b8df140852947533df21149c9bcb88be9cf040440dfb8f5eb7140171d67ce52

  • SHA512

    82aec45d3f0545e5639a075991fcc303258c64baf9653b7d45554fc9ba88de8cb6f9b9b15cfc9c2308ec798457494429ec2fbf8cb17565b36940ecaa5bd28789

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.moorefundz.com
  • Port:
    587
  • Username:
    evra@moorefundz.com
  • Password:
    g7g2Ig?Aeh_+

Targets

    • Target

      BL draft FORM_xls.exe

    • Size

      762KB

    • MD5

      99996216855c81d9cc40d112468cfc26

    • SHA1

      76e36c04c6fc6fd81a35b777df3f7c24feae524a

    • SHA256

      7b8df140852947533df21149c9bcb88be9cf040440dfb8f5eb7140171d67ce52

    • SHA512

      82aec45d3f0545e5639a075991fcc303258c64baf9653b7d45554fc9ba88de8cb6f9b9b15cfc9c2308ec798457494429ec2fbf8cb17565b36940ecaa5bd28789

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Tasks