54a9c7b2de032c88a365724c0cf41c6d8cae0a63299f5870fbddfd2fada133c0

General
Target

54a9c7b2de032c88a365724c0cf41c6d8cae0a63299f5870fbddfd2fada133c0

Size

354KB

Sample

220521-pw9dtsbdal

Score
10 /10
MD5

e2082e433bd9a88e80f51c9e7238bbe6

SHA1

fce93fdc8378c546c8c4e7e319792c8dae710bba

SHA256

54a9c7b2de032c88a365724c0cf41c6d8cae0a63299f5870fbddfd2fada133c0

SHA512

641e3e40f748eeba64f010a6b9bcc0eaafc40acabd46a551baf2ca9e7453dac21de624614b272d333c6873b3b5eeaa4ec97c5a964c249e5738d96056e29a592c

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: ftp

Host: ftp://gsmtp.me/

Port: 21

Username: mikano

Password: N1!4o8yg

Protocol: ftp

Host: ftp://gsmtp.me/

Port: 21

Username: mikano

Password: N1!4o8yg

Targets
Target

PO-7890374.exe

MD5

e9578b76923aaf0ef5c6ddd29f04c44b

Filesize

488KB

Score
10/10
SHA1

fd105ad0cfaac1465e7773e1f5a98a4bdc9ab7d9

SHA256

0e1398abdfa85e32529125bf46eca2248faa7baa07f114ead8e310fc05a73beb

SHA512

fb064a5aad513cf8650d03b716e0502a920779a9c2f7f3db0628e65c89c439b72984f2efc21f43112874fff3cbe1c59d1cc0d8e4cc944ecd97abb043c280cc37

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • AgentTesla Payload

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses Microsoft Outlook profiles

    Tags

    TTPs

    Email Collection
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                Privilege Escalation