General

  • Target

    NCG207311154.exe

  • Size

    498KB

  • Sample

    200731-s3wzacvr52

  • MD5

    22fbb2bdcd1308194687c06741b7c115

  • SHA1

    a512ba6b3f94f4c28310166db8d29403e9d86f40

  • SHA256

    9af4e7302015b6c26100e4119cc6463224adef98a668b459051615d9edc3573a

  • SHA512

    44658501a7f2012270ebc0696025b812db9954012e581838fdfb8576801db9d4fa67aac62fdc941340150abf6dd5ba884ad7c9c242be908f8749958005219c53

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    house.mate@yandex.com
  • Password:
    papa1974

Targets

    • Target

      NCG207311154.exe

    • Size

      498KB

    • MD5

      22fbb2bdcd1308194687c06741b7c115

    • SHA1

      a512ba6b3f94f4c28310166db8d29403e9d86f40

    • SHA256

      9af4e7302015b6c26100e4119cc6463224adef98a668b459051615d9edc3573a

    • SHA512

      44658501a7f2012270ebc0696025b812db9954012e581838fdfb8576801db9d4fa67aac62fdc941340150abf6dd5ba884ad7c9c242be908f8749958005219c53

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

2
T1081

Collection

Data from Local System

2
T1005

Tasks