General

  • Target

    cc9e44cb351b8ccbdff7856a16e7cba3782d02fd0fb14f95c5d9346f410c61b4

  • Size

    2.4MB

  • Sample

    240322-cn8fcafb26

  • MD5

    c5a8d9f1ee447c0bc19801a8a22e5c60

  • SHA1

    b5d97cd3d63530ec73e8842fd47174f4ef45da10

  • SHA256

    cc9e44cb351b8ccbdff7856a16e7cba3782d02fd0fb14f95c5d9346f410c61b4

  • SHA512

    56e22370fda6900dc1da513174952aae11e5abd988823ff5491c116e6189f1c12900e02b76987f6aa5e14e7ed39353d6b47dc7349f6ba96bcf01e3b32f387850

  • SSDEEP

    49152:b6gS2WgqlEZI62glJc8NGn3kKUgNuOVsi1TD4HHqod5rTuXhP1FeEo:ed2aELw8NIULg5sG3QHNZuRT+

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    66.29.151.236
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    09Xt0hBU4PzO

Targets

    • Target

      cc9e44cb351b8ccbdff7856a16e7cba3782d02fd0fb14f95c5d9346f410c61b4

    • Size

      2.4MB

    • MD5

      c5a8d9f1ee447c0bc19801a8a22e5c60

    • SHA1

      b5d97cd3d63530ec73e8842fd47174f4ef45da10

    • SHA256

      cc9e44cb351b8ccbdff7856a16e7cba3782d02fd0fb14f95c5d9346f410c61b4

    • SHA512

      56e22370fda6900dc1da513174952aae11e5abd988823ff5491c116e6189f1c12900e02b76987f6aa5e14e7ed39353d6b47dc7349f6ba96bcf01e3b32f387850

    • SSDEEP

      49152:b6gS2WgqlEZI62glJc8NGn3kKUgNuOVsi1TD4HHqod5rTuXhP1FeEo:ed2aELw8NIULg5sG3QHNZuRT+

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect ZGRat V1

    • PureLog Stealer

      PureLog Stealer is an infostealer written in C#.

    • PureLog Stealer payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks