General

  • Target

    5dbddc716f4143d4197f3035bfcb71a00613b91dfc7208ba86f6ac54504d12ca

  • Size

    632KB

  • Sample

    240328-bfbkzacd2y

  • MD5

    e2d974c1421cfe9f4d523da716ad6d0a

  • SHA1

    8b13337583f774a53ff16b067cd439e358012ef2

  • SHA256

    5dbddc716f4143d4197f3035bfcb71a00613b91dfc7208ba86f6ac54504d12ca

  • SHA512

    9c951e4d812b52d7e63c907607859d0f063f8063a734a294f21b75422e8e6d47582bb3c4dc896baf7809f080c0c94dec6ebb14a6ac52961d9ff6a33ee5ea946d

  • SSDEEP

    12288:/ItiCZ3nwyyalO/FUp7rDEubczfnlUv4lhxV/KtBsgILkfeSJ/5mmgVq:wtvJRlO/+p7rDEubcDnlUv6JitmgIAfB

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.magnatextile.com
  • Port:
    587
  • Username:
    accessories@magnatextile.com
  • Password:
    ac%{*}mti{*}$es
  • Email To:
    vriat.pine@gmail.com

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.magnatextile.com
  • Port:
    587
  • Username:
    accessories@magnatextile.com
  • Password:
    ac%{*}mti{*}$es

Targets

    • Target

      L47fz5X2RSrsQIn.exe

    • Size

      658KB

    • MD5

      5313954569433d6b29f6b81862080ae8

    • SHA1

      c113656034eed6c5c6ceaf247a20e002bee317f6

    • SHA256

      fad66fe6b9c99e9b74fc56c06512b5d90a1296d15afba3cc356389524deb56f4

    • SHA512

      db00b6329e45c709ac0bd13aecaec04c8d2593ab20f7fa67196aa67fb709055540e42bb1938fa36c143a2d56fd90ea0ebce953b8d1dbe1f0aa7114c24d0a2206

    • SSDEEP

      12288:byzH2iNlw0m3JX7uJAaMOdUpzrrEwbczfnlU747hx7sG683NLoVS3cit:g1Xu34JjMpzrrEwbcDnlU7SnsaaO

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

4
T1005

Tasks