General

  • Target

    a56724def86d4e6a660d12be80144e64.7z

  • Size

    958KB

  • Sample

    240107-ycwhascgdq

  • MD5

    a56724def86d4e6a660d12be80144e64

  • SHA1

    17dc38dfafcc5d59000d05dd60004e4f4bb380bc

  • SHA256

    9d0a9c92839800f6145299028e8016f6f61b581fba682fef51d32aab652d1275

  • SHA512

    2bc82fff6cfe754b81705bb12f04b4a0df799f2bf4b478d05a41a15e94ff55729cac037f79d3646b022fa7a0c13731cf0da35ff6efa4037a3eef5d19e73aff31

  • SSDEEP

    24576:MveosOTqRPWPDe4/Bm4mw5HdOvUrx77kRJ5bM+Q1yrEf29dXQFUw:MvePbRPwl8BKdzd77khK1yofSxw

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.badonfashoin.com/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    kKsIA9XNV2zG

Targets

    • Target

      82658.exe

    • Size

      1.3MB

    • MD5

      23bce6c9e9ad0180c5e71ba1ab27df6a

    • SHA1

      ca872d69913174f7810d104a674b53157f2a6507

    • SHA256

      8866780810cd65684ba4c903d896da0760dfb0b85f2b9965d9d60bbfc60c94f6

    • SHA512

      c86e8fd44bcb76ef442c0d2452fd5679507c72ce58358da5485701eea7c49fbd243b546f4b5a3a7a55175fac7bec3a8129ddd9c5558aa173d3ab74bc674ad332

    • SSDEEP

      24576:QBOsBgo0q4wMzBmCmTOUd+L6kDXWL49wBXdO1UVG7kksP57MTQ1PqEf29mXQdQ:Q4oHM9mCm6Ud+zDXmo0dR47kko71P1fz

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks