General

  • Target

    f9f607644cbcd66fdcfaf88eb689ed9d5c5bad4e770ebefbd708d055e288c678.exe

  • Size

    450KB

  • Sample

    240403-p7hp9add5w

  • MD5

    c8abfd532a42ea366b12a6589b20e059

  • SHA1

    1ee4bbea603845555ff876570c252fb2359af5f0

  • SHA256

    f9f607644cbcd66fdcfaf88eb689ed9d5c5bad4e770ebefbd708d055e288c678

  • SHA512

    9db73ec4a5e268e8b6c78e58e9934bdd01294c763ca80cd86cb4988aa03cbbcd9cb90252ce274d104aa74b14dd64d3b871b7ccbb7065a6e4b96d24d5f435e51e

  • SSDEEP

    12288:QGOzvLvzFvHJGPN5MP7r9r/+ppppppppppppppppppppppppppppp0G:szvLvzFQk1q

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.medicalhome.com.pe
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    MHinfo01

Targets

    • Target

      f9f607644cbcd66fdcfaf88eb689ed9d5c5bad4e770ebefbd708d055e288c678.exe

    • Size

      450KB

    • MD5

      c8abfd532a42ea366b12a6589b20e059

    • SHA1

      1ee4bbea603845555ff876570c252fb2359af5f0

    • SHA256

      f9f607644cbcd66fdcfaf88eb689ed9d5c5bad4e770ebefbd708d055e288c678

    • SHA512

      9db73ec4a5e268e8b6c78e58e9934bdd01294c763ca80cd86cb4988aa03cbbcd9cb90252ce274d104aa74b14dd64d3b871b7ccbb7065a6e4b96d24d5f435e51e

    • SSDEEP

      12288:QGOzvLvzFvHJGPN5MP7r9r/+ppppppppppppppppppppppppppppp0G:szvLvzFQk1q

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks