General

  • Target

    1c6c27efcb4c84e8ebefe53a760e59bd246e17ec60bd6d73c809df6f90221bbd

  • Size

    695KB

  • Sample

    231209-cezf3sffc7

  • MD5

    b0cb5b21f387e3a57b04f95e5e525b7a

  • SHA1

    f9bad09e8eb643871b844df31b7f9ddccf171f95

  • SHA256

    1c6c27efcb4c84e8ebefe53a760e59bd246e17ec60bd6d73c809df6f90221bbd

  • SHA512

    7c44681b0df64250017e88ca858a4799b721eeaee7c09131d757265954a0cae5158b4b6f2b8e4f3eae57366c357dd00208014faf748f74b35ab218f3baf09e2c

  • SSDEEP

    12288:ul5nF85VdqrlbKxqNfgAgj+u5V90McO8Rei0Dl1skejfcjtaUWgvcnO:uloqhbKxgq/90VOAeXCjQa1O

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    nl10.nlkoddos.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    6G]uV2})e[^%

Targets

    • Target

      1c6c27efcb4c84e8ebefe53a760e59bd246e17ec60bd6d73c809df6f90221bbd

    • Size

      695KB

    • MD5

      b0cb5b21f387e3a57b04f95e5e525b7a

    • SHA1

      f9bad09e8eb643871b844df31b7f9ddccf171f95

    • SHA256

      1c6c27efcb4c84e8ebefe53a760e59bd246e17ec60bd6d73c809df6f90221bbd

    • SHA512

      7c44681b0df64250017e88ca858a4799b721eeaee7c09131d757265954a0cae5158b4b6f2b8e4f3eae57366c357dd00208014faf748f74b35ab218f3baf09e2c

    • SSDEEP

      12288:ul5nF85VdqrlbKxqNfgAgj+u5V90McO8Rei0Dl1skejfcjtaUWgvcnO:uloqhbKxgq/90VOAeXCjQa1O

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks