General

  • Target

    e08caa66b9897ebe1c06cc36cbf8aa5ef7063c20dc94ec09e464c3f5e29cca00.exe

  • Size

    875KB

  • Sample

    240403-p2xbfsdg22

  • MD5

    1058ec0750d9ba07196a000e75612624

  • SHA1

    db7f6e234fc166a3c21ebe4b6b0a566600fb9932

  • SHA256

    e08caa66b9897ebe1c06cc36cbf8aa5ef7063c20dc94ec09e464c3f5e29cca00

  • SHA512

    72dea23ed3d20140ab2afaded813d5805c2f4c56fecb3f4b1164e49af10c4e4ba1d4da0b7943d159338bb1e9d361340a3c696fa2fe341ff5383abf400244de7b

  • SSDEEP

    12288:6/Sr+pAQ3inVFataJ6YusOUvNE06+qviWFOSTZK+98eQFs7NpUE/:J+AQ32HQERu06+qvitSTT5QFspr

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.tmf.bg.ac.rs
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    31.rac.16!

Targets

    • Target

      e08caa66b9897ebe1c06cc36cbf8aa5ef7063c20dc94ec09e464c3f5e29cca00.exe

    • Size

      875KB

    • MD5

      1058ec0750d9ba07196a000e75612624

    • SHA1

      db7f6e234fc166a3c21ebe4b6b0a566600fb9932

    • SHA256

      e08caa66b9897ebe1c06cc36cbf8aa5ef7063c20dc94ec09e464c3f5e29cca00

    • SHA512

      72dea23ed3d20140ab2afaded813d5805c2f4c56fecb3f4b1164e49af10c4e4ba1d4da0b7943d159338bb1e9d361340a3c696fa2fe341ff5383abf400244de7b

    • SSDEEP

      12288:6/Sr+pAQ3inVFataJ6YusOUvNE06+qviWFOSTZK+98eQFs7NpUE/:J+AQ32HQERu06+qvitSTT5QFspr

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks