General

  • Target

    3949bec4816ddc4f9f0e1f676f72e5080436bd25ef1deed355322fc818712cbeexe.exe

  • Size

    508KB

  • Sample

    231207-x7lqxaga7v

  • MD5

    dd348013f6383e0edd8eaa771003699d

  • SHA1

    c7ddd7c9587d700519c205ce54d48261e89c4019

  • SHA256

    3949bec4816ddc4f9f0e1f676f72e5080436bd25ef1deed355322fc818712cbe

  • SHA512

    8c72328c3a7cd1ebf691e4608da812979e59e49b1d00f0986d003658e1f84371f92b16714495c1cc0eeccc7e657497f0a3b83a0092bdaf708ed88c09da3f4c16

  • SSDEEP

    6144:jSgxZkvqveZV/kQlIrGVq79emWCLWcyqxmxcrwK/t:1MZVcQKGIUmDTrge/t

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    mydevelopmentstory.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ENugu@042EN

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://mydevelopmentstory.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ENugu@042EN

Targets

    • Target

      3949bec4816ddc4f9f0e1f676f72e5080436bd25ef1deed355322fc818712cbeexe.exe

    • Size

      508KB

    • MD5

      dd348013f6383e0edd8eaa771003699d

    • SHA1

      c7ddd7c9587d700519c205ce54d48261e89c4019

    • SHA256

      3949bec4816ddc4f9f0e1f676f72e5080436bd25ef1deed355322fc818712cbe

    • SHA512

      8c72328c3a7cd1ebf691e4608da812979e59e49b1d00f0986d003658e1f84371f92b16714495c1cc0eeccc7e657497f0a3b83a0092bdaf708ed88c09da3f4c16

    • SSDEEP

      6144:jSgxZkvqveZV/kQlIrGVq79emWCLWcyqxmxcrwK/t:1MZVcQKGIUmDTrge/t

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks