General

  • Target

    LATE INVOICES CFA0583574 - CFA0585218 - CFA0585654 - 3ALY002488.exe

  • Size

    618KB

  • Sample

    231210-yytktsbdgl

  • MD5

    ef83aecc2603e9cbf458c502bff0655c

  • SHA1

    b847e6b115ce83f0622e0d4e1f370b8f42da2f80

  • SHA256

    2b486ce27109e1922e7b1623b94178813248820c46b8cee889af078ae9f4ba54

  • SHA512

    7d3bedc4e1af1e2db66fd5e7dba46247e11c172eb3bb4d5ae914ce68d85f6b9b7bba1980301209725f375a7a23b825422ba64f055104ec1085470e70063310e0

  • SSDEEP

    12288:upEmQepZMSTtH4jbP6stFRklnzTUt0hjMyOH5z9meo8mVzLcsmMaZK:upECtH4v6yGzrInR9wfzldR

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.abi0expertise.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Najwa1949!

Targets

    • Target

      LATE INVOICES CFA0583574 - CFA0585218 - CFA0585654 - 3ALY002488.exe

    • Size

      618KB

    • MD5

      ef83aecc2603e9cbf458c502bff0655c

    • SHA1

      b847e6b115ce83f0622e0d4e1f370b8f42da2f80

    • SHA256

      2b486ce27109e1922e7b1623b94178813248820c46b8cee889af078ae9f4ba54

    • SHA512

      7d3bedc4e1af1e2db66fd5e7dba46247e11c172eb3bb4d5ae914ce68d85f6b9b7bba1980301209725f375a7a23b825422ba64f055104ec1085470e70063310e0

    • SSDEEP

      12288:upEmQepZMSTtH4jbP6stFRklnzTUt0hjMyOH5z9meo8mVzLcsmMaZK:upECtH4v6yGzrInR9wfzldR

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks