General

  • Target

    copy#10607753.exe

  • Size

    274KB

  • Sample

    240403-p7hegsdg72

  • MD5

    e0f776d5c784cc1696ff0e23bb6c86bf

  • SHA1

    2411b05684e01da4793451577bf1ba9ddcc3f188

  • SHA256

    892ab31c686601fb795155002a84a5a9a5e599d772b069a05926d9b2f6172869

  • SHA512

    40afc32c3ad63689f973c2b45d8b16a2ef975417d7dfd66257e9b3da1141f26154464ffc9d0b3d9a70e6dd9d2e93075f49bf7efd9c09d62c5f69812c7006488a

  • SSDEEP

    3072:uZm+TPNLR5oKsJY1Cv259mr0pknZ8BI/uYZVGMkTWnIN2zqa0ARlfBWeSV4S/eZm:GmKlN1R7z6tkqnhz5PXlw/w6wAV

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    66.29.151.236
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    DRaa8A9L3DVc

Targets

    • Target

      copy#10607753.exe

    • Size

      274KB

    • MD5

      e0f776d5c784cc1696ff0e23bb6c86bf

    • SHA1

      2411b05684e01da4793451577bf1ba9ddcc3f188

    • SHA256

      892ab31c686601fb795155002a84a5a9a5e599d772b069a05926d9b2f6172869

    • SHA512

      40afc32c3ad63689f973c2b45d8b16a2ef975417d7dfd66257e9b3da1141f26154464ffc9d0b3d9a70e6dd9d2e93075f49bf7efd9c09d62c5f69812c7006488a

    • SSDEEP

      3072:uZm+TPNLR5oKsJY1Cv259mr0pknZ8BI/uYZVGMkTWnIN2zqa0ARlfBWeSV4S/eZm:GmKlN1R7z6tkqnhz5PXlw/w6wAV

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks