General

  • Target

    Balance payment made.exe

  • Size

    332KB

  • Sample

    240403-pbhqdach7w

  • MD5

    719c42cc090147553a6c1579c91b4789

  • SHA1

    f3fea4df3bc34e90501a5b9c413a62184f67ff4f

  • SHA256

    c0f96896bb7e168d46975892f9bafc3358fc769568969ee421e7a0dd51ed899a

  • SHA512

    b1baa052046a238aede67262d716effd5d95fc5c4de9e241a26f31e4a80ce80e50e5d31d40677a817145e52b5418e7a0e992cfd706ce0c17851624f066de94b4

  • SSDEEP

    6144:x5wdIQrN5LW7fl1FtNLscgZwsKQs67yqcJu8eZA4uDT3+dhB:PwmwxW7d1hvgZwXQs6+M8UAjDS

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.etiprim.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ETP@habiballah2023

Targets

    • Target

      Balance payment made.exe

    • Size

      332KB

    • MD5

      719c42cc090147553a6c1579c91b4789

    • SHA1

      f3fea4df3bc34e90501a5b9c413a62184f67ff4f

    • SHA256

      c0f96896bb7e168d46975892f9bafc3358fc769568969ee421e7a0dd51ed899a

    • SHA512

      b1baa052046a238aede67262d716effd5d95fc5c4de9e241a26f31e4a80ce80e50e5d31d40677a817145e52b5418e7a0e992cfd706ce0c17851624f066de94b4

    • SSDEEP

      6144:x5wdIQrN5LW7fl1FtNLscgZwsKQs67yqcJu8eZA4uDT3+dhB:PwmwxW7d1hvgZwXQs6+M8UAjDS

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks