General
-
Target
df0a67f2a0c162c5a5dee0a8fcd8ab22.bin
-
Size
774KB
-
Sample
240428-ce5cbseb3s
-
MD5
c3193b2ea057f0757dbc1a84bddbed45
-
SHA1
8c75558733b1be0330267d0d001504e6fe2bf98a
-
SHA256
d20e2a65994a809fcfec8372905a34f29bf6c8c72d26e40896b74403b615c203
-
SHA512
57e265a6b40003dc435ebcfb542bf9ee41655f0209efde65a503d645af8648fa22b43f18fd3ddf5eb5ab8b9ef41c9c37b67d8f9dced2e35afabbaac3e654fa83
-
SSDEEP
12288:QjLAHxx92Tw9fN1qCCoxMxMLDCaKafHM4Bh269Y9Xj3EuTQ9w9QDUqYIHNZ/f0a+:QjkRx9hlxyMxh1i6Cp3EuEUWHNZ/tg5
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.starmech.net - Port:
587 - Username:
electronics@starmech.net - Password:
nics123 - Email To:
godwingodwin397@gmail.com
Targets
-
-
Target
e62255f98543e0bb1abf017af13fd483e1382158021b7edde65fa55c1ad290cf.exe
-
Size
822KB
-
MD5
df0a67f2a0c162c5a5dee0a8fcd8ab22
-
SHA1
07981693f5b38fa99a88aca0e13ba5b6022b1465
-
SHA256
e62255f98543e0bb1abf017af13fd483e1382158021b7edde65fa55c1ad290cf
-
SHA512
b62ea9a4710dfc855cfd47f2c0cb8787c9ea6b1159387431d1cc70b5989dd59086aaadd62e42fea9b21d28834b6ece20dc1715245762d026e48e315544529f75
-
SSDEEP
12288:zPqnHvjNIrpf9rN/mc/CQw5PXdFPemY3kI26WE+34DO2IOxzV2SYm9nEix9H82rF:zyPjKr5BNDuXvfY0RfmIkzLNP5rJ
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1