General

  • Target

    f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909

  • Size

    481KB

  • Sample

    240313-cydnqaad5t

  • MD5

    45b1dc45eec64dd6ef42ff827d4405fd

  • SHA1

    f34c8c2fe7c5bc610b4513cd853d97304960d429

  • SHA256

    f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909

  • SHA512

    abcfdf3b41c8ffb9327d7e2ac97b52666bf8e1afcca44344ec3ad492fe2b16069b8951aa20a112f655cc7a94b8b4bbad5a373893baa37010ad857ac0afc2ba99

  • SSDEEP

    6144:JAtVdRkURiLBetRu2m10c/XOsnx/Bjr7xii6wgDm7NE/m2O0BBAdN3MVqRw6aPMB:JCVdRkEtY/+a/BLj6wkm7N/0Bi3MBW

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    server1.marfinllc.shop
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    X!-1rrkP_qxp

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909

    • Size

      481KB

    • MD5

      45b1dc45eec64dd6ef42ff827d4405fd

    • SHA1

      f34c8c2fe7c5bc610b4513cd853d97304960d429

    • SHA256

      f42496aca487ec4753a8f887f26c0eb5862e6626b4e474614c611d4b28f45909

    • SHA512

      abcfdf3b41c8ffb9327d7e2ac97b52666bf8e1afcca44344ec3ad492fe2b16069b8951aa20a112f655cc7a94b8b4bbad5a373893baa37010ad857ac0afc2ba99

    • SSDEEP

      6144:JAtVdRkURiLBetRu2m10c/XOsnx/Bjr7xii6wgDm7NE/m2O0BBAdN3MVqRw6aPMB:JCVdRkEtY/+a/BLj6wkm7N/0Bi3MBW

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect ZGRat V1

    • PureLog Stealer

      PureLog Stealer is an infostealer written in C#.

    • PureLog Stealer payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks