General

  • Target

    Revised Proforma Invoice_New order.exe

  • Size

    622KB

  • Sample

    210928-gwhbcaagfq

  • MD5

    3a391e960ff363979a5ac9dc3a95c636

  • SHA1

    8930a2e630f133dfb78e87e06b4f9ecd882a84e1

  • SHA256

    8842d55ed240f4ed04d12d227dfd1c65bc20b72bf79fc5e40daf61d9f3f86d47

  • SHA512

    9ad6f160cef7ba108a88ee963aa224c1766bfb183e7934a88b5a7019788b6874009a4a921f8b853329be940d08de74e3ddb0170e69b60152fbd950a5889a5926

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    s1.20mb.nl
  • Port:
    587
  • Username:
    whitesend@billionv.com
  • Password:
    fgd436-=/eVNM!!@#)mmnb

Targets

    • Target

      Revised Proforma Invoice_New order.exe

    • Size

      622KB

    • MD5

      3a391e960ff363979a5ac9dc3a95c636

    • SHA1

      8930a2e630f133dfb78e87e06b4f9ecd882a84e1

    • SHA256

      8842d55ed240f4ed04d12d227dfd1c65bc20b72bf79fc5e40daf61d9f3f86d47

    • SHA512

      9ad6f160cef7ba108a88ee963aa224c1766bfb183e7934a88b5a7019788b6874009a4a921f8b853329be940d08de74e3ddb0170e69b60152fbd950a5889a5926

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

3
T1005

Tasks