General

  • Target

    5cc0c336fc38231f8220dd959fe7ccee.exe

  • Size

    687KB

  • Sample

    230420-c6fhaafa83

  • MD5

    5cc0c336fc38231f8220dd959fe7ccee

  • SHA1

    62c75a782b20545b29c879bc8c3f6307dd588111

  • SHA256

    010493b98e6676ace7201480f106d8b348aac9118755a5f55137b410dbf31d0c

  • SHA512

    181b59a15572f7261e96820ea62c6df57fd2ef5168e23947f8fed1034f24f45936c3521e2db79272ffd4f24a364c2ae2264f1e2d5240d534167d67381e8a9dde

  • SSDEEP

    12288:Mg+Voi1HDSFR7XFHgAIa8PHWm81DNCdGKOotgtUG:VSHDah8PHWmmuxCU

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      5cc0c336fc38231f8220dd959fe7ccee.exe

    • Size

      687KB

    • MD5

      5cc0c336fc38231f8220dd959fe7ccee

    • SHA1

      62c75a782b20545b29c879bc8c3f6307dd588111

    • SHA256

      010493b98e6676ace7201480f106d8b348aac9118755a5f55137b410dbf31d0c

    • SHA512

      181b59a15572f7261e96820ea62c6df57fd2ef5168e23947f8fed1034f24f45936c3521e2db79272ffd4f24a364c2ae2264f1e2d5240d534167d67381e8a9dde

    • SSDEEP

      12288:Mg+Voi1HDSFR7XFHgAIa8PHWm81DNCdGKOotgtUG:VSHDah8PHWmmuxCU

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks