General

  • Target

    2a567dd629f2b01ea358db5d801fb787.bin

  • Size

    605KB

  • Sample

    240408-bhwc6acb5z

  • MD5

    c8527b63c1b322a6a0c9a55426894e8c

  • SHA1

    e00235c37177fd3a890dfd99db2fb98d82669d6f

  • SHA256

    269d1a87cb053855b9af6dffa3d20d4ba0cfed056ecaafa043e118e2309a296a

  • SHA512

    ac7089edebf7050db3c67e61f38cc02a43e3ac600caf9bb7cd061355109d40bdf16c2e428d4f336a2722013a0e9b57319b2b178b089edf2315c34e778c4e8640

  • SSDEEP

    12288:14fWfrMapp4OIhiqwmyw1IvAdfk/NhZYaYkQd2RhQPPLNNdf1H:14clp5AImDgAJk1LYaYkQUSbXj

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    PMOYQrU0

Targets

    • Target

      PDF Payment Notification fkHWFp2kdYelWk3.exe

    • Size

      632KB

    • MD5

      f8d36232107047afe262f9b8711bce2d

    • SHA1

      bc48516389629f07d29fa8b7425eca0dfbbc6dec

    • SHA256

      a433dfdb99b293b73898ac05be0fbf6baa9d79976655b0c51ba5a5a0066a2632

    • SHA512

      5bfab42733edc5a4cf5c790642e5479331f440f420908812fc2e1dc683e100ac5ab530895d049083b4ba8da6e68e99917e9bd8aaa1456a4c49bfea1ea5902c9c

    • SSDEEP

      12288:DF9lwFa3JY0YPxnyQPgkA/W0L0A4732TH4NrYNHS5sohUHZB:DF9n5UyQPcOcpUGgrb5jmH

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks