General

  • Target

    7f83ce8d8a358060a86621e58e4feb4842613b257d2ad51f193cba4a1e2de36cexe.exe

  • Size

    636KB

  • Sample

    231207-x8swlsgb4z

  • MD5

    5ed94cc7fe7a91bd4ac32347864deec1

  • SHA1

    0e2f9c3959e309753ed8541447c9e0e4d15e3201

  • SHA256

    7f83ce8d8a358060a86621e58e4feb4842613b257d2ad51f193cba4a1e2de36c

  • SHA512

    9e3894c3c7e00902493b3dd063798dac8f1a61351f8486227b37b026f246572dced7613ace433b6a43baeb1dc4d6ab0d4f986231fdacb3b5632df67e6465fa18

  • SSDEEP

    12288:JRnQaueH5qnsO4AvEqNqMzaHTMM9HwjjJo1xFulwct1F7BU+9dZHzM83mYubTJZS:JRlqn37QjHv9qJyvulfdP9dZA8xa1gYp

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    YAWALESS123@@kkk

Targets

    • Target

      7f83ce8d8a358060a86621e58e4feb4842613b257d2ad51f193cba4a1e2de36cexe.exe

    • Size

      636KB

    • MD5

      5ed94cc7fe7a91bd4ac32347864deec1

    • SHA1

      0e2f9c3959e309753ed8541447c9e0e4d15e3201

    • SHA256

      7f83ce8d8a358060a86621e58e4feb4842613b257d2ad51f193cba4a1e2de36c

    • SHA512

      9e3894c3c7e00902493b3dd063798dac8f1a61351f8486227b37b026f246572dced7613ace433b6a43baeb1dc4d6ab0d4f986231fdacb3b5632df67e6465fa18

    • SSDEEP

      12288:JRnQaueH5qnsO4AvEqNqMzaHTMM9HwjjJo1xFulwct1F7BU+9dZHzM83mYubTJZS:JRlqn37QjHv9qJyvulfdP9dZA8xa1gYp

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks