General

  • Target

    ffdd8588a4da494a7070a25347917227efc01fe55a6bb38d693dd1307893264e

  • Size

    757KB

  • Sample

    240328-bpjb6sce41

  • MD5

    c171e05a7a1323d4e061dda993ce0351

  • SHA1

    30d1f81d95b850248c6a891f724769d45448047c

  • SHA256

    ffdd8588a4da494a7070a25347917227efc01fe55a6bb38d693dd1307893264e

  • SHA512

    3d35a27211e4404a1da8a1c0b07183df8f5096f2f4ca0211f6544ec1c148abdec47acba7bb75087dd663d80540bd89ea1658c86b290c32fca60a01c5de0dfb32

  • SSDEEP

    12288:Kd1JsJ6S0d1Sh2iNwC8kpSm0uZ68dhIan5rNnz4pcOVTNpmj28ZE5y1Ig4F54KGm:Kdjw1G3kpyuZXHVBuWj2kgCIgw2PwDrz

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.scgpl.in
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    $Hetvishwa5271@djd

Targets

    • Target

      ffdd8588a4da494a7070a25347917227efc01fe55a6bb38d693dd1307893264e

    • Size

      757KB

    • MD5

      c171e05a7a1323d4e061dda993ce0351

    • SHA1

      30d1f81d95b850248c6a891f724769d45448047c

    • SHA256

      ffdd8588a4da494a7070a25347917227efc01fe55a6bb38d693dd1307893264e

    • SHA512

      3d35a27211e4404a1da8a1c0b07183df8f5096f2f4ca0211f6544ec1c148abdec47acba7bb75087dd663d80540bd89ea1658c86b290c32fca60a01c5de0dfb32

    • SSDEEP

      12288:Kd1JsJ6S0d1Sh2iNwC8kpSm0uZ68dhIan5rNnz4pcOVTNpmj28ZE5y1Ig4F54KGm:Kdjw1G3kpyuZXHVBuWj2kgCIgw2PwDrz

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

4
T1005

Tasks