General

  • Target

    hesaphareketi-01.exe

  • Size

    933KB

  • Sample

    230612-ndz7rsbg22

  • MD5

    2093282857be724c339ce27bb5cdc633

  • SHA1

    26ffdf9709e6ca7f4ac422597806f842bbeea080

  • SHA256

    06b2ab16e068ff058fd7b142d331ca7b694c4a311320c6a6aaee7acdd38b2402

  • SHA512

    f93d6121c20c81667ed476e13df4f8945833be3219ee46a7d72b4c4d59a6cd9453abb298b1f60c92c90a75fdf9d857c9e2c99e43dcb493c69010005bacabcf96

  • SSDEEP

    24576:1iOV/NOaXez2URyzwc/787XDSA2ieOwFmBCZhEJB:1iOV/NOas2A+5qXOA2vOAoCZhEJB

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.redseatransportuae.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    method10@10

Targets

    • Target

      hesaphareketi-01.exe

    • Size

      933KB

    • MD5

      2093282857be724c339ce27bb5cdc633

    • SHA1

      26ffdf9709e6ca7f4ac422597806f842bbeea080

    • SHA256

      06b2ab16e068ff058fd7b142d331ca7b694c4a311320c6a6aaee7acdd38b2402

    • SHA512

      f93d6121c20c81667ed476e13df4f8945833be3219ee46a7d72b4c4d59a6cd9453abb298b1f60c92c90a75fdf9d857c9e2c99e43dcb493c69010005bacabcf96

    • SSDEEP

      24576:1iOV/NOaXez2URyzwc/787XDSA2ieOwFmBCZhEJB:1iOV/NOas2A+5qXOA2vOAoCZhEJB

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks