General

  • Target

    02084499.exe

  • Size

    768KB

  • Sample

    230614-pc8m7agg8y

  • MD5

    1254520bdcfe7dd96d9378aba95656e5

  • SHA1

    55d31bae2143de44cb8fb2fcfa7745f2c8da042c

  • SHA256

    b8192f1fec7d9734eaa25fcb5a51e7b38ac904c4e3b6db13373e028496f5ea9f

  • SHA512

    ba6a91487e8637ce191c0c9550c6c0291d6efce64b08f1d91c7cad0980f783e0c606ae4af09df27ab4e7fd9fd021c46f61c355a7c5734a9755bf17ec75d5b490

  • SSDEEP

    12288:+bLXAndxtHYn8OvvC3kgn/yxPSTs9QlreP7TPsD4TYN2/WEXqXdVi:WcnpHhcwXyxS3lqP3U40cu4qXdVi

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      02084499.exe

    • Size

      768KB

    • MD5

      1254520bdcfe7dd96d9378aba95656e5

    • SHA1

      55d31bae2143de44cb8fb2fcfa7745f2c8da042c

    • SHA256

      b8192f1fec7d9734eaa25fcb5a51e7b38ac904c4e3b6db13373e028496f5ea9f

    • SHA512

      ba6a91487e8637ce191c0c9550c6c0291d6efce64b08f1d91c7cad0980f783e0c606ae4af09df27ab4e7fd9fd021c46f61c355a7c5734a9755bf17ec75d5b490

    • SSDEEP

      12288:+bLXAndxtHYn8OvvC3kgn/yxPSTs9QlreP7TPsD4TYN2/WEXqXdVi:WcnpHhcwXyxS3lqP3U40cu4qXdVi

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks