General

  • Target

    BF-TL-605877001.exe

  • Size

    481KB

  • Sample

    240312-qhvh7abg29

  • MD5

    d555da013d512f714926dd3213083e5d

  • SHA1

    25ae9c59ae5b3bfe27933981b0a68a0445b22458

  • SHA256

    e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457

  • SHA512

    7f3ad943dbdec3c803f8664d2095add10deb9477acf8c3784411708401a7ca748969fba617a82cd212a0070ec84c061719b9d2175b7570ea68b7b51f97b590e0

  • SSDEEP

    6144:0stUW74e1KpFcqsIi3IDCIHA/lWGHalBNLrK2OgBBmdN3MVqRw6aPMGGmGlH:02UWwFZCTsG4BNSgB43MBm

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    66.29.151.236
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    moIynCqPXDmd

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      BF-TL-605877001.exe

    • Size

      481KB

    • MD5

      d555da013d512f714926dd3213083e5d

    • SHA1

      25ae9c59ae5b3bfe27933981b0a68a0445b22458

    • SHA256

      e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457

    • SHA512

      7f3ad943dbdec3c803f8664d2095add10deb9477acf8c3784411708401a7ca748969fba617a82cd212a0070ec84c061719b9d2175b7570ea68b7b51f97b590e0

    • SSDEEP

      6144:0stUW74e1KpFcqsIi3IDCIHA/lWGHalBNLrK2OgBBmdN3MVqRw6aPMGGmGlH:02UWwFZCTsG4BNSgB43MBm

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect ZGRat V1

    • PureLog Stealer

      PureLog Stealer is an infostealer written in C#.

    • PureLog Stealer payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks