General

  • Target

    ea53d17d407202920af2fd07b8296abf.bin

  • Size

    777KB

  • Sample

    230331-cl1byshf7v

  • MD5

    e146a6631e04b77d1a8fafb277a5b668

  • SHA1

    dcc6d541e2add64381552111013f2d740a9ad126

  • SHA256

    cabe22196c7da75864ba82f4fc87a4247c279515f3876a6a1e90ad9e776fde98

  • SHA512

    5d174752f7c7ffba45fd8ff72d533447e1bee43443056a9577f7ab8ff63323ccf61c3e88918923bacfb6cae9e4bfaa10a0111296fe1740e06f408b87dc44c6a2

  • SSDEEP

    12288:iEhpUrYWnBMOg8axE6vdy5ULXav3QdEQfitP/gYhz3uGAIb5yZWbEoV6Fo9:iEPUrBQE6vYg1KP/GGJVbEju9

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.servicesterminals.com
  • Port:
    587
  • Username:
    kenneth@servicesterminals.com
  • Password:
    zK2kveho
  • Email To:
    kenneth@servicesterminals.com

Targets

    • Target

      328aa195af17fbb6996c45b95c15c022e987c5d8a6fdea00ef8a58f47e8e721b.exe

    • Size

      1000KB

    • MD5

      ea53d17d407202920af2fd07b8296abf

    • SHA1

      ca705e5b89a9e07e87314bfd44541d940f346cbd

    • SHA256

      328aa195af17fbb6996c45b95c15c022e987c5d8a6fdea00ef8a58f47e8e721b

    • SHA512

      2f1a6ec015c7180ce1f95e7de0a6bdb37de697b0159eef751f6ee92def9249dee1caf08005cab63622fa673d627699058cf864eef7ebac1cb321160acce2ba7d

    • SSDEEP

      24576:nj12zVZ97P1AaGeqGknYCDUTILhmxBjnRrtL0:njAR37dAaGeTknYGUTItsRr

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks