General

  • Target

    83e23b600bcc6a227cb73fc99a665198acf94389a89db05b516868c0efa1c149.iso

  • Size

    784KB

  • Sample

    240213-dmbwesea7t

  • MD5

    2c57261e29cf1baa469a62e30ba1c55f

  • SHA1

    134cc042674e74e2a515c61a531ba7801898694a

  • SHA256

    83e23b600bcc6a227cb73fc99a665198acf94389a89db05b516868c0efa1c149

  • SHA512

    726de34709ca81c75fe17664921160af88df11cdd9609cc5538ca52c830020c52ffb54decbb36b698313497199b955e955580663ccbface89660f7abe1f118d4

  • SSDEEP

    24576:T6t3ZFnsyvk4aO3zYphqM3hfUT9e3hjcl3:2tJNsyM4HwM8hspeRjc

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.aci.hn
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Rivera17

Targets

    • Target

      PAGO -349.exe

    • Size

      722KB

    • MD5

      0f79b5ea035f9421e450a659d77983de

    • SHA1

      9cc01bd4bf352b904e35810c218ea7bfd9b80c12

    • SHA256

      40ca3d8b222a1cdccb3bf0c9b3c2e74d05a4c37f16de18d8dcd1601463744419

    • SHA512

      5a4a322902b43dfe001714132f7748178168067f95905bf8d9b3acde5ab6ac62d01a7e589d4a2b5aeb1e0a5dc360238fc666283ae1054464f3f303b1cea52278

    • SSDEEP

      12288:YJQt3ZyLHky6WSsyIKXipbcaO3zYp8GqMFOOnrhfUxhaeGrVxna2Bj4zpDxjbVVD:Y6t3ZFnsyvk4aO3zYphqM3hfUT9e3hjk

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks