General

  • Target

    PO 0051-23.exe

  • Size

    318KB

  • Sample

    230403-gm2nmaee4t

  • MD5

    76d08c9a795cb286eb92d8ab41d1bff5

  • SHA1

    b00f94fc957f25fcb4fdccb8aad1d679247cde04

  • SHA256

    0e4ea6322dba2d469a0e405188c76f6cd9332e193071048192621abf85bf7cdc

  • SHA512

    2fb51728fcaca60b38094278e9e9571bc6e4ddd33226614dd9eedd066d7a551fc714a2f8d336ccadf8f8ca690b56339e85b089efdfe315b26f7728e84da23002

  • SSDEEP

    6144:PYa63sAnyhbptQUF310y/LGcCn75IDouSHwoX1TzseW6:PYlFn2tFFF0y/LS7ohSHwoX1/seW6

Malware Config

Targets

    • Target

      PO 0051-23.exe

    • Size

      318KB

    • MD5

      76d08c9a795cb286eb92d8ab41d1bff5

    • SHA1

      b00f94fc957f25fcb4fdccb8aad1d679247cde04

    • SHA256

      0e4ea6322dba2d469a0e405188c76f6cd9332e193071048192621abf85bf7cdc

    • SHA512

      2fb51728fcaca60b38094278e9e9571bc6e4ddd33226614dd9eedd066d7a551fc714a2f8d336ccadf8f8ca690b56339e85b089efdfe315b26f7728e84da23002

    • SSDEEP

      6144:PYa63sAnyhbptQUF310y/LGcCn75IDouSHwoX1TzseW6:PYlFn2tFFF0y/LS7ohSHwoX1/seW6

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks