General

  • Target

    9ddecabca1b0f6f3f73316c406ee38a0.exe

  • Size

    675KB

  • Sample

    200708-n43n1148y2

  • MD5

    9ddecabca1b0f6f3f73316c406ee38a0

  • SHA1

    f9edc0bc8fdf17b8b4095212e3ad0395b84fec6d

  • SHA256

    35f0e8ca3bab29cfdf15c42ba6879af714ee203082d9cffc70a0b05e4eaae0ed

  • SHA512

    75320d2b72e982610cfc8e38ee946a7ad4c823cfe2c1a0e66b465e2de518cde34d132c5b9a9b9b4a457afa6eae43944f8bdbf56f9e75ead3719c719dfffd45c2

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    evawater.xyz
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    7213575aceACE@#$

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    evawater.xyz
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    7213575aceACE@#$

Targets

    • Target

      9ddecabca1b0f6f3f73316c406ee38a0.exe

    • Size

      675KB

    • MD5

      9ddecabca1b0f6f3f73316c406ee38a0

    • SHA1

      f9edc0bc8fdf17b8b4095212e3ad0395b84fec6d

    • SHA256

      35f0e8ca3bab29cfdf15c42ba6879af714ee203082d9cffc70a0b05e4eaae0ed

    • SHA512

      75320d2b72e982610cfc8e38ee946a7ad4c823cfe2c1a0e66b465e2de518cde34d132c5b9a9b9b4a457afa6eae43944f8bdbf56f9e75ead3719c719dfffd45c2

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla Payload

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks