General

  • Target

    61a5dfe1070729024f430dc564ebe0b3b5e7566258fe06c9a132756b5223c73acab.cab

  • Size

    608KB

  • Sample

    231207-yhplyagd8v

  • MD5

    624abc807dde9168debfecd12ed68a39

  • SHA1

    0caff508627beadb48a3c662f0f476e03c085604

  • SHA256

    61a5dfe1070729024f430dc564ebe0b3b5e7566258fe06c9a132756b5223c73a

  • SHA512

    b2de424cc9b704382739108fea40f48272cc87d0323ddd8a7cb19c6dc33812757138d1d6267ea5a3bf4bdfb585a394fc1d4604d9f852c205df3d236018517316

  • SSDEEP

    12288:R6s8jX2yBOpMwZt+Oik9nwhBEm4pZ5fzJfO4mtRk3gFSAA:MLrgy8XtwhBH8Z5924mtRk3gIT

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.dcc-asia.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    soso@#1235

Targets

    • Target

      SHIPPING DOCUMENT_9871610T00077003_pdf.exe

    • Size

      639KB

    • MD5

      c60068fde058f588a2b7fe236cfbc0e9

    • SHA1

      d5b3d029b3645a1f2cbf14ec1d134276e47d60e2

    • SHA256

      a75840200db6ba9313053ab15551f6c758d78ac9ffbe75ede0f36e744eaed24b

    • SHA512

      146f766575aa3f81a4d90247871e17cd99bb572720f1a5b72a0ace9140476556d321e82526176bc831eefd029253c5fa627eb7ba78bbd73e2c080447fa2249c0

    • SSDEEP

      12288:CE5QaueH5qjR82KUIdsNQ3GZDlOPk9JiPB7a4pZ5fBJfOUmtakjg7s:CE3qjWsI6wKo44PBu8Z5L2Umtaks

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks