General

  • Target

    a62d53b4c696972c717f444b1cf6ccda07dbc124

  • Size

    570KB

  • Sample

    230111-pvw24sfh8z

  • MD5

    7a6ac533312d5f4e462a1b9beda03cfd

  • SHA1

    a62d53b4c696972c717f444b1cf6ccda07dbc124

  • SHA256

    b0fdb78c68324224076f2d39061d3ad13c254e265a1842d87a6e7c8d49094e0e

  • SHA512

    d98b17806980b209a53034314ab2278df9ffedcdf1cb8535c944ec1dc1f811d17486945fa4a8862338db842b2c7fe666d0bbe75fd158770268a534d10254e210

  • SSDEEP

    12288:IY5ZNf4zIxNh8k7577uDHUTTAiha8ZRI0G17GnRDm7In75HmG:IY5szIrWmd7pFha8ZK+RDm7IkG

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      a62d53b4c696972c717f444b1cf6ccda07dbc124

    • Size

      570KB

    • MD5

      7a6ac533312d5f4e462a1b9beda03cfd

    • SHA1

      a62d53b4c696972c717f444b1cf6ccda07dbc124

    • SHA256

      b0fdb78c68324224076f2d39061d3ad13c254e265a1842d87a6e7c8d49094e0e

    • SHA512

      d98b17806980b209a53034314ab2278df9ffedcdf1cb8535c944ec1dc1f811d17486945fa4a8862338db842b2c7fe666d0bbe75fd158770268a534d10254e210

    • SSDEEP

      12288:IY5ZNf4zIxNh8k7577uDHUTTAiha8ZRI0G17GnRDm7In75HmG:IY5szIrWmd7pFha8ZK+RDm7IkG

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks