General

  • Target

    a804fb03f59e855deae2343c4a6ad689.exe

  • Size

    891KB

  • Sample

    240107-yascvscffl

  • MD5

    a804fb03f59e855deae2343c4a6ad689

  • SHA1

    ff8ed1734e1b0864e32423bed99acced8f9f60f4

  • SHA256

    226ab3f67d5d1861b6051dc65c8f5fcfcbadf0a78ae258002eace8be0ce24a7b

  • SHA512

    637b64b00078e9765740bc763cd8c6733132f89c4492879e5c21e6770b555bd52cb0c18b7db995c32e9dc6a6f9588894ccb1901dccbb2dc641342883ccc9491a

  • SSDEEP

    24576:63lMWYqRoirD59QTXUgOkEZQu3nWZA8FBFoYmeEkvMD:o1vCirHCumC4oyv

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    serv-10708.handsonwebhosting.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    icui4cu2@@

Targets

    • Target

      a804fb03f59e855deae2343c4a6ad689.exe

    • Size

      891KB

    • MD5

      a804fb03f59e855deae2343c4a6ad689

    • SHA1

      ff8ed1734e1b0864e32423bed99acced8f9f60f4

    • SHA256

      226ab3f67d5d1861b6051dc65c8f5fcfcbadf0a78ae258002eace8be0ce24a7b

    • SHA512

      637b64b00078e9765740bc763cd8c6733132f89c4492879e5c21e6770b555bd52cb0c18b7db995c32e9dc6a6f9588894ccb1901dccbb2dc641342883ccc9491a

    • SSDEEP

      24576:63lMWYqRoirD59QTXUgOkEZQu3nWZA8FBFoYmeEkvMD:o1vCirHCumC4oyv

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Drops file in Drivers directory

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks