General

  • Target

    34D023E0F662D1DCACC5168A46A686BEA468F3C7EA424C5AF500B9D885C71121

  • Size

    284KB

  • Sample

    230718-zkncbsdh47

  • MD5

    bffa31d53229ecf1b564924334c3f4ca

  • SHA1

    e289a361fa488da1c1233daba6e912811e1b76d6

  • SHA256

    34d023e0f662d1dcacc5168a46a686bea468f3c7ea424c5af500b9d885c71121

  • SHA512

    e295213a9dfbd86e17f91dae09f5cb49460e11ced523eac66b01359898311fe7f4f0667f0d168771983f4553f87c9eeb6d369a0cfc068c8e34666da3af61ee2c

  • SSDEEP

    6144:4Ya6txz2Mad5XR9sNa57Zeb9cyU84Yas0eKY6r6:4YnxJadz9VQb9erA6

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ifeanyi@12

Targets

    • Target

      INQUIRY 03746 SRC Project.com

    • Size

      222KB

    • MD5

      fdc6598bd27d4707cdc94286ffb6ffc4

    • SHA1

      ffc0d6d1df15adf481bb601bd3971873167b9cc5

    • SHA256

      da9c5f609ebbcf19aef3d6992d451ccbe4fa77858660f6861146d1a486e1d98e

    • SHA512

      f300adb7ba7d428added50de4443b07304fb222f2ab1a5e2a8e020f4e3a852f267cdb3241f6de7c5e2b040707e559d68a83a3679392b3bc878b4f2ed47869fe9

    • SSDEEP

      6144:vYa6txz2Mad5XR9sNa57Zeb9cyU84Yas0eKY6r6b:vYnxJadz9VQb9erA6i

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks