General

  • Target

    Betaling.jpg_1.img

  • Size

    1.3MB

  • Sample

    230303-sylx4aaa94

  • MD5

    18834e9533434790b56cbf2579183f55

  • SHA1

    4b3f698e48f70c40d705590705d9c4d6fbd5a988

  • SHA256

    3185d8e8484338169b004da9f6ea8e66f2e95f353b9d2a0cf833ce705ca2cfb2

  • SHA512

    44077e6b49173e963a09b2b48d6957818e54a4d167034a05ad5360008b0d57df605bada880e6018b09f03ea44fa7d8b0f67f5e83e8113b27ae2dba797f5bf0c3

  • SSDEEP

    24576:owwt+2McUJrdRhT5js5HE2u08wvQW0iaGTf/YeOXv:kt+XLsxRu08wYI/YNXv

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      BETALING.EXE

    • Size

      792KB

    • MD5

      2a1545c3d87e97567f8b086860e5832b

    • SHA1

      410bf6f20cb8d3815866b31c7c7d777fbccb6ea2

    • SHA256

      e2cffdf34c55f9b0975fc651a0f49db65ff59c34610221fe5efac13d72911310

    • SHA512

      e1d21c09003d4f99f9e654276e040f56c3338c3b578f0cf74542b1c0525f7a2ebe1a953de88c79e952112b696aaa5c011eebf25022f4335a071993a7dc82b44f

    • SSDEEP

      24576:2wwt+2McUJrdRhT5js5HE2u08wvQW0iaGTf/YeOXv:qt+XLsxRu08wYI/YNXv

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks