General

  • Target

    b1aa0a9cd2e8e5a9612ada324e8de5341d4804e58787caad4278527704df606c.zip

  • Size

    652KB

  • Sample

    240427-by9wgshb7z

  • MD5

    798dd6a52dfad4bbea1eac8d2006e7ff

  • SHA1

    80c688169235812853d28a296c6bdf14972fe69c

  • SHA256

    b1aa0a9cd2e8e5a9612ada324e8de5341d4804e58787caad4278527704df606c

  • SHA512

    ac5f1a9faf6182cb910e3e6830706c18d37daa93446e22c7b51db0dfdc3a6502c6a826407f2ab9ee99749be48a47aca42ea0bb1fbb926573381039f4e07ba6bc

  • SSDEEP

    12288:24K2MlfM+u0wrHN/voXvSTyUgrCcKFsXJIl6Q6cypZy+/I6StMZ9CR:nRKfM+1wrmfSUrVmsZIl6Q6cr+/TcMZo

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Payment details.exe

    • Size

      706KB

    • MD5

      d88a9970ec7a11ade4a6dfc3d8150496

    • SHA1

      90e72afbb1eed4c0f20fbc8a7ef5e3069ece0eef

    • SHA256

      c159014c79f8dc4d7888b0c092286f9b47fb2b1497dfbfa7c0620d78257127e2

    • SHA512

      54596967f17980e34528c20a2b284edcd03c02dd105d904600cb4e48816b560c201371b2f202db962a1df37dca310dd4a82ed08ab12683ccde74dd404d0a1af2

    • SSDEEP

      12288:GTn3D0uf8+u0wrXN/HoX18jyU0rOcKdIXxIlmQockPZS+/I6YtMl0:Az0uf8+1wriF8grBkIhIlmQocz+/TmM

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks