General

  • Target

    e3c48ba70cb42a88e5ebe7e22a5c28ddf8993f9c5106d0ab7e38450229f374c6exe.exe

  • Size

    737KB

  • Sample

    231207-x3yvnsef86

  • MD5

    a0a98d41a45aaa6af1ad3d084218e1b7

  • SHA1

    aaf63c99c9313bd7ee46b67f5bea4f35e967e1af

  • SHA256

    e3c48ba70cb42a88e5ebe7e22a5c28ddf8993f9c5106d0ab7e38450229f374c6

  • SHA512

    96542a1828b66845095f98fb62fb99975a507a89bcc487139045800c5bc1a05bedc337e3699a06887969319b6f8fb51e568d13e42c12815d6d0092b71367e495

  • SSDEEP

    12288:qqc3+GCueH5qtq485C4yKsh8v7TxLnnpxm2WZfQ0l9CLVzev:q/uG2qg4R8v7TxLpwHt/Qg

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    viorel5000@yandex.ru
  • Password:
    YAWALESS123@@kkk
  • Email To:
    viorel5000@yandex.ru

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    viorel5000@yandex.ru
  • Password:
    YAWALESS123@@kkk

Targets

    • Target

      e3c48ba70cb42a88e5ebe7e22a5c28ddf8993f9c5106d0ab7e38450229f374c6exe.exe

    • Size

      737KB

    • MD5

      a0a98d41a45aaa6af1ad3d084218e1b7

    • SHA1

      aaf63c99c9313bd7ee46b67f5bea4f35e967e1af

    • SHA256

      e3c48ba70cb42a88e5ebe7e22a5c28ddf8993f9c5106d0ab7e38450229f374c6

    • SHA512

      96542a1828b66845095f98fb62fb99975a507a89bcc487139045800c5bc1a05bedc337e3699a06887969319b6f8fb51e568d13e42c12815d6d0092b71367e495

    • SSDEEP

      12288:qqc3+GCueH5qtq485C4yKsh8v7TxLnnpxm2WZfQ0l9CLVzev:q/uG2qg4R8v7TxLpwHt/Qg

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Collection

Data from Local System

3
T1005

Tasks