General

  • Target

    SecuriteInfo.com.W32.AIDetectNet.01.19723.25833

  • Size

    635KB

  • Sample

    220426-fbnrysbac7

  • MD5

    a27c8ee8b37605f3c05e4eb4d614f359

  • SHA1

    6a8b97217d52a752075b08207bad7d7c867a8854

  • SHA256

    910a6e4138cb422bf570130f05cdb463d726c0eddb2882bdc6e42fb1daace384

  • SHA512

    769fe817c1616f80672a63ad8a8464c26aa4374e569343df04feab22a3a1193eac5f7eee5fb3afaa94ed28792da492659c2b02220f0197c1b89641a0d7f9f536

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.unitelha.com
  • Port:
    21
  • Username:
    kilop@unitelha.com
  • Password:
    Wljp?j]gQwC?

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.unitelha.com/
  • Port:
    21
  • Username:
    kilop@unitelha.com
  • Password:
    Wljp?j]gQwC?

Targets

    • Target

      SecuriteInfo.com.W32.AIDetectNet.01.19723.25833

    • Size

      635KB

    • MD5

      a27c8ee8b37605f3c05e4eb4d614f359

    • SHA1

      6a8b97217d52a752075b08207bad7d7c867a8854

    • SHA256

      910a6e4138cb422bf570130f05cdb463d726c0eddb2882bdc6e42fb1daace384

    • SHA512

      769fe817c1616f80672a63ad8a8464c26aa4374e569343df04feab22a3a1193eac5f7eee5fb3afaa94ed28792da492659c2b02220f0197c1b89641a0d7f9f536

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Tasks