General

  • Target

    87f2db0e741aa05efa63e4d98bce45c9.bin

  • Size

    2.2MB

  • Sample

    240502-by5xjafd64

  • MD5

    5197928e67a59cc54b8699fd88505acf

  • SHA1

    3da254a5989d81bf0cebfa135cbc8cd3ce536aef

  • SHA256

    25b7eff58bf61e983e7d1cbea90bd383d77401a3f089a13ae934ac163e272838

  • SHA512

    1d0ed25077699a0762e4975ef7f2afeabb7d7c8f2f0d59016299fd5478a73f0ee3b556f320455677352d5848a8e7b5ffddad6c2aa0b6d4813cd882041524e904

  • SSDEEP

    49152:d7bX1yw9AARf9ZLdcy9Bk04ptaAYH+fwqtblkmQDnPd0G9pkD+k6GDXq8wByjf/:d/1t9AA7ZLdc28ptaQfwUlkm2lz9ad6M

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.gencoldfire.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    U+&%W@y1mSEUOinP

Targets

    • Target

      3121673a3bf3bdb07a02c5e730f09c272a4ec1c8510cd80a601b6e5e79d8eadc.exe

    • Size

      2.2MB

    • MD5

      87f2db0e741aa05efa63e4d98bce45c9

    • SHA1

      2f7b705480debc6bf48a325e189212cac3771e7e

    • SHA256

      3121673a3bf3bdb07a02c5e730f09c272a4ec1c8510cd80a601b6e5e79d8eadc

    • SHA512

      27d609cd1960417ec8b531b252e855ee27b43e65201d5d5cc551f7762c40e56e223255df4162d1779103e664a90606a6a1abb5f8f56fc5c4c80b075eceedd0ef

    • SSDEEP

      49152:WKB2FpJDke68YMb6qm+mM9HgGCXh7OzJoyyPhDOX5d7i6:TBW68tbYqHgGJTyPhS5d

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks