General

  • Target

    37d15999173d91a0a29db83c6962912d.exe

  • Size

    658KB

  • Sample

    231207-vjeatadh53

  • MD5

    37d15999173d91a0a29db83c6962912d

  • SHA1

    1100641ebfc52ecd245d9fd303074f8051dc8ac7

  • SHA256

    2214a1536f1997efda81e136d845661f0178b44a6b104f72d7f73628e6158d08

  • SHA512

    32ca859b827ccabe15fa443d4bcf62e9adfe511ec5ab3ca9983224db256dfbb9783904c6a38056b5b9b584458eed33acd4a2c1ad009aabfe1cba632dc3d9efba

  • SSDEEP

    12288:DhkZ5QD3d204DoM6Ljx5P5OcUpvHCUbJqrHk5KZTwkeI3ShewZW8w:DK/QDdZ48M6L95pyJqrHk5KZTwkN3GeK

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    cp5ua.hyperhost.ua
  • Port:
    587
  • Username:
    obilogs@hulkeng.xyz
  • Password:
    7213575aceACE@
  • Email To:
    obilogs@hulkeng.xyz

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    cp5ua.hyperhost.ua
  • Port:
    587
  • Username:
    obilogs@hulkeng.xyz
  • Password:
    7213575aceACE@

Targets

    • Target

      37d15999173d91a0a29db83c6962912d.exe

    • Size

      658KB

    • MD5

      37d15999173d91a0a29db83c6962912d

    • SHA1

      1100641ebfc52ecd245d9fd303074f8051dc8ac7

    • SHA256

      2214a1536f1997efda81e136d845661f0178b44a6b104f72d7f73628e6158d08

    • SHA512

      32ca859b827ccabe15fa443d4bcf62e9adfe511ec5ab3ca9983224db256dfbb9783904c6a38056b5b9b584458eed33acd4a2c1ad009aabfe1cba632dc3d9efba

    • SSDEEP

      12288:DhkZ5QD3d204DoM6Ljx5P5OcUpvHCUbJqrHk5KZTwkeI3ShewZW8w:DK/QDdZ48M6L95pyJqrHk5KZTwkN3GeK

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Collection

Data from Local System

3
T1005

Tasks