General

  • Target

    87c5a2d309ffac0613fcf699301e6180d341ab3ed0f454e65fead4c42224312c.exe

  • Size

    2.2MB

  • Sample

    240502-b45hysdd9w

  • MD5

    c12f51bd01e1c930165aec910beafa0a

  • SHA1

    08d2abaeb27eb108fa931675e32720ee9240ff0e

  • SHA256

    87c5a2d309ffac0613fcf699301e6180d341ab3ed0f454e65fead4c42224312c

  • SHA512

    5884be28545d0bf74c24274648ba5f4fb664e715d33164c46631c057695b1b5a028d8afda2105dd9d47084ab840a8924a3666cd6d3ae86dfc0749f7aa28a591b

  • SSDEEP

    49152:E9EwF9mSciaRzjJE+fOnVn/kaEVhHBMMchYfT7hL/OT8BCD241VY:uly7RZMhEVoMdf/hL/OTD

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.sturmsgroup.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    y[/wk46uE}y(|Xn[

Targets

    • Target

      87c5a2d309ffac0613fcf699301e6180d341ab3ed0f454e65fead4c42224312c.exe

    • Size

      2.2MB

    • MD5

      c12f51bd01e1c930165aec910beafa0a

    • SHA1

      08d2abaeb27eb108fa931675e32720ee9240ff0e

    • SHA256

      87c5a2d309ffac0613fcf699301e6180d341ab3ed0f454e65fead4c42224312c

    • SHA512

      5884be28545d0bf74c24274648ba5f4fb664e715d33164c46631c057695b1b5a028d8afda2105dd9d47084ab840a8924a3666cd6d3ae86dfc0749f7aa28a591b

    • SSDEEP

      49152:E9EwF9mSciaRzjJE+fOnVn/kaEVhHBMMchYfT7hL/OT8BCD241VY:uly7RZMhEVoMdf/hL/OTD

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks