General

  • Target

    cdc6416614ef3f4b401aff0d519668cd08f7c99f4ebf7c7392ba67193b2c0fea.exe

  • Size

    693KB

  • Sample

    240427-b12ynagd26

  • MD5

    5ea66f46264b909eacc61b8648278e24

  • SHA1

    72de1f4263613095b85b3c33922cd67a3d94cd7d

  • SHA256

    cdc6416614ef3f4b401aff0d519668cd08f7c99f4ebf7c7392ba67193b2c0fea

  • SHA512

    4cc5dd931b8b25e3a554b5dd981b4c8c88574f14cdc63b55b02be96225261b1294e081f1d02d6cdb3dbdef7b3a1ca925cb8fe9ae9557580589ecd745b0eaa6ca

  • SSDEEP

    12288:lYIPXjRZ3XGczUXeXeH4w9065DW5w9Q18+cyCpvv3qIPDI+znzIS7AF3Hm:lYIPN9XGcFeH4w9n5DW50Q18hyC9/rng

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.quoctoan.vn
  • Port:
    587
  • Username:
    long_xnk@quoctoan.vn
  • Password:
    bGMJNaGYNTLC
  • Email To:
    dclarkson007@protonmail.com

Targets

    • Target

      cdc6416614ef3f4b401aff0d519668cd08f7c99f4ebf7c7392ba67193b2c0fea.exe

    • Size

      693KB

    • MD5

      5ea66f46264b909eacc61b8648278e24

    • SHA1

      72de1f4263613095b85b3c33922cd67a3d94cd7d

    • SHA256

      cdc6416614ef3f4b401aff0d519668cd08f7c99f4ebf7c7392ba67193b2c0fea

    • SHA512

      4cc5dd931b8b25e3a554b5dd981b4c8c88574f14cdc63b55b02be96225261b1294e081f1d02d6cdb3dbdef7b3a1ca925cb8fe9ae9557580589ecd745b0eaa6ca

    • SSDEEP

      12288:lYIPXjRZ3XGczUXeXeH4w9065DW5w9Q18+cyCpvv3qIPDI+znzIS7AF3Hm:lYIPN9XGcFeH4w9n5DW50Q18hyC9/rng

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks