General

  • Target

    6650242e9e46806b2db451d6125486eabc4b1bd7694759182ee2c6ad5b364a5b

  • Size

    1.5MB

  • Sample

    231209-cf99zaffd5

  • MD5

    a9fe84657de4396d62925b7e8930e18a

  • SHA1

    25516973bb4d8491748785d031447e58d594440b

  • SHA256

    6650242e9e46806b2db451d6125486eabc4b1bd7694759182ee2c6ad5b364a5b

  • SHA512

    106bda7b9453a25d9cddc179b44fb49c61d0cd24c097dfe6a4d9fe390d3c37403c653428cf12e02b4e4907bca4df0781dbb0caf3bd72635644485826c63c830a

  • SSDEEP

    24576:bqsj4VDZCwlN64PDF/svGe/6djUqlv2z8W7:bzjs/lNvCOeSxUqt2zl7

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Starwings@@586

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      6650242e9e46806b2db451d6125486eabc4b1bd7694759182ee2c6ad5b364a5b

    • Size

      1.5MB

    • MD5

      a9fe84657de4396d62925b7e8930e18a

    • SHA1

      25516973bb4d8491748785d031447e58d594440b

    • SHA256

      6650242e9e46806b2db451d6125486eabc4b1bd7694759182ee2c6ad5b364a5b

    • SHA512

      106bda7b9453a25d9cddc179b44fb49c61d0cd24c097dfe6a4d9fe390d3c37403c653428cf12e02b4e4907bca4df0781dbb0caf3bd72635644485826c63c830a

    • SSDEEP

      24576:bqsj4VDZCwlN64PDF/svGe/6djUqlv2z8W7:bzjs/lNvCOeSxUqt2zl7

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect PureCrypter injector

    • Detect ZGRat V1

    • PureCrypter

      PureCrypter is a .NET malware loader first seen in early 2021.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks