General

  • Target

    fwuvzd.exe

  • Size

    286KB

  • Sample

    240403-nydt9sdb76

  • MD5

    a6f9fd517c37cf1b39aeb4c88177366c

  • SHA1

    6bce5757df0f69560d8eba5fedf46ef1682eb188

  • SHA256

    664b37245df07f80723d2a014fd31e77b3ee06074d1eda962c167aacaa9d9bc3

  • SHA512

    96907d2a872eda21d76016afb5aaeb87e7524df41d7347f4bb9c7a054636a4640c812fd459c06bf40235c91476eb1468ed06eb8da4597df64a21f30379a1d7d2

  • SSDEEP

    6144:xfL+oq+hnjsVl3dRQTLUSy3io7TOTnM35BRTYlrTRhCD0tqmUsZJoU:xfL5njsVlNucSy3iZC5PIptSU

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      fwuvzd.exe

    • Size

      286KB

    • MD5

      a6f9fd517c37cf1b39aeb4c88177366c

    • SHA1

      6bce5757df0f69560d8eba5fedf46ef1682eb188

    • SHA256

      664b37245df07f80723d2a014fd31e77b3ee06074d1eda962c167aacaa9d9bc3

    • SHA512

      96907d2a872eda21d76016afb5aaeb87e7524df41d7347f4bb9c7a054636a4640c812fd459c06bf40235c91476eb1468ed06eb8da4597df64a21f30379a1d7d2

    • SSDEEP

      6144:xfL+oq+hnjsVl3dRQTLUSy3io7TOTnM35BRTYlrTRhCD0tqmUsZJoU:xfL5njsVlNucSy3iZC5PIptSU

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

    • Target

      ⠨/start.vbs

    • Size

      231B

    • MD5

      abe1dd23ab4c11aae54f1898c780c0b5

    • SHA1

      bb2f974b3e0af2baa40920b475582bfd4fb28001

    • SHA256

      89054e19532a9a62ca3403a8899495bf6f06557ff886b475a04227eb8aba7b12

    • SHA512

      e9ec437a32301078ea69ce2f36dadab68315d5e56d94c4d579d3409ccbe0c9e00c3aed7baa0fa6d656fb8ed23213f4c01fb2d108c1a0ed11c58c76cd00f9a99d

    Score
    1/10
    • Target

      ⠨/temp.bat

    • Size

      233KB

    • MD5

      58b55cc56434f24c5dfff90a59c34b35

    • SHA1

      39583e91e02cd52ef110b9bdab9bd974316db642

    • SHA256

      5639b5fd5b7647b3cf2a043984f7ed3f3ceb1471db67d697fa6c3a84c5a33bf9

    • SHA512

      8f8a6c44cdf30cbd6a1afed453a0ff1e2487042b2c45832f6aa25469585d097431c91c13598d8bf13f36b03805ebffb665b58ccb0f42859c1c2691fe33dd0be2

    • SSDEEP

      6144:Pq2veAJw0La/2IWa7+Z7+ABT32vv8Jglv:PqO/La1W+S+yTWJ

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks