General

  • Target

    11_12_2023_Dönemi_MEVDUAT Ekstre Bilgiler.exe

  • Size

    713KB

  • Sample

    231211-j99zmahgdm

  • MD5

    9b1c2e790bed23b904a9e70ebb183af0

  • SHA1

    b2e331aa2e9668d138cc40927084c8f94e261eab

  • SHA256

    a124ff6a1be6a2680e8c99779e401168bfe26e22b848a514ca76782c6d4b009f

  • SHA512

    1e6d040b9dd561e9f61717d49c287f7ca001fdd824b173a00f2059cc8eac89632443c478d01e24b74eb96c25d4665df5fe078e6604045be7467e40759667c0d5

  • SSDEEP

    12288:Xq3IU8S6eUdHYKApKI5erYikQQJv/2kZO80j4SyIIJXv4+3Aspp9hnuE9z/bs:XgItSAd4nht2kZO5Mw+3AspbZx

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.polkaplastik.com.tr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    info1453?@

Targets

    • Target

      11_12_2023_Dönemi_MEVDUAT Ekstre Bilgiler.exe

    • Size

      713KB

    • MD5

      9b1c2e790bed23b904a9e70ebb183af0

    • SHA1

      b2e331aa2e9668d138cc40927084c8f94e261eab

    • SHA256

      a124ff6a1be6a2680e8c99779e401168bfe26e22b848a514ca76782c6d4b009f

    • SHA512

      1e6d040b9dd561e9f61717d49c287f7ca001fdd824b173a00f2059cc8eac89632443c478d01e24b74eb96c25d4665df5fe078e6604045be7467e40759667c0d5

    • SSDEEP

      12288:Xq3IU8S6eUdHYKApKI5erYikQQJv/2kZO80j4SyIIJXv4+3Aspp9hnuE9z/bs:XgItSAd4nht2kZO5Mw+3AspbZx

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks