General

  • Target

    eec74d1415093fb1433f94fd6b52e8ac88338d471aef2aedccbd3c82c32c8503

  • Size

    244KB

  • Sample

    231208-ctzemaaa6s

  • MD5

    a40f4b0cda9886655d33a81d1d50d50b

  • SHA1

    5c6f13b148be06b67200b7f10504911d6cac387c

  • SHA256

    eec74d1415093fb1433f94fd6b52e8ac88338d471aef2aedccbd3c82c32c8503

  • SHA512

    d55610ada45b562d52cae34cef121886adf0f5347056154ca3f4a6048afcdcea873871bb7963ddb21c506283252530a8ef2e963ef8acb09f8368e8057f670f72

  • SSDEEP

    768:ZpOCUM461xGqTpjk6rNj8Nyo4LNCaCqJ6+rLnx+:XOnMz1IqTpreNyDNJCE8

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    meka.ldc.lv
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    DJj8Mza7MM

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Nlzteo.exe

    • Size

      193KB

    • MD5

      b69f2cdbf28652571e762f9aac158b50

    • SHA1

      2d10897a4446c1f64d5859140a83d516b3ffc358

    • SHA256

      d82b131f63b7421b9de90ad8ac7a793d369996f1e16abcda35513fd06ca8d300

    • SHA512

      d4e5f9baaed7a2b151d6e10c79de959d0a322d21e62e3a556fc9c5f0e763a4ef92e9e0c604108c9349af4ce80408890b547c82a95710b768e3169279477dbaac

    • SSDEEP

      768:npOCUM461xGqTpjk6rNj8Nyo4LNCaCqJ6+rLnx+:pOnMz1IqTpreNyDNJCE8

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks