General

  • Target

    payment.r15.rar

  • Size

    410KB

  • Sample

    230403-kgz5dsdf72

  • MD5

    2cb87ffa452f6e2bb5949b39e243bad7

  • SHA1

    df0437f5ecf3da72a5c2509d51af086ced1f1bcd

  • SHA256

    db1081c1a75421b9b57add6984d4bc694fb160aa80a1657a43acb3810dc20a81

  • SHA512

    cde446bf92b7ed0e35f90166795ce443fd758f3fc3d0d364637e4b527e4f95436b17f752ee344ae28ef282d4695b6f9ea16a785395331976c8c49be61f64a192

  • SSDEEP

    12288:+Dmne+9VXCcetsvin49N5WmshLUV4GWMiXu9e+:ne+9VX/an8WmqL2iXuU+

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      payment.exe

    • Size

      602KB

    • MD5

      d4bef4b07059e137cb445ad46607a039

    • SHA1

      f9b52054c5020f0a6bc30ad369a0dbf06c9e3c16

    • SHA256

      66f84a9485233c4126143d575a7d5d754721f963e71069a9456399c601af2ea8

    • SHA512

      1551c4bdcbdec278473e3bb01d4d0dfffbc2af9d6c1938e54a403db431cb7ab22b0b0f96d51c365e0a003a585e29cc4eb868624a16b0e3dfbe32665edd18dfe1

    • SSDEEP

      6144:nYlCTy6dfHrM0oyvqwVns5DnfuqpPhlpImWwhdGC7dAvTxxJn5I4h22cqnCBtVuv:nYlCTz/riyywVnmp5lBKC7Wjzg2cv0v

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Collection

Email Collection

1
T1114

Tasks