General

  • Target

    e8e5f2ca84add6e06915a32b9fe67321cc3860d78bbd7213fe9e32460b9d8fa4

  • Size

    2.2MB

  • Sample

    240503-bq9kradf25

  • MD5

    ae97c19966eb5e3fbc49081f32671c79

  • SHA1

    0b132bc006b1335c5bbfee94f56d4e015b81b0d2

  • SHA256

    e8e5f2ca84add6e06915a32b9fe67321cc3860d78bbd7213fe9e32460b9d8fa4

  • SHA512

    fe8fac4c848755d391899230e2f1cb6942539db69ee21c2e7016761f3a1b6af77165160211cac479cb8e2040985fa700fdf45a3bbe43abbb9503cf669d0a7c95

  • SSDEEP

    49152:HRCizQC7ZCIMCQUG/TiHJnAl/Iqqn3TKiDfLN6AO8Lm:HRrz978IrEyJAJNqn3TDF6AO8Lm

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.apexrnun.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    dU*wU0)yR;?4q|-#

Targets

    • Target

      e8e5f2ca84add6e06915a32b9fe67321cc3860d78bbd7213fe9e32460b9d8fa4

    • Size

      2.2MB

    • MD5

      ae97c19966eb5e3fbc49081f32671c79

    • SHA1

      0b132bc006b1335c5bbfee94f56d4e015b81b0d2

    • SHA256

      e8e5f2ca84add6e06915a32b9fe67321cc3860d78bbd7213fe9e32460b9d8fa4

    • SHA512

      fe8fac4c848755d391899230e2f1cb6942539db69ee21c2e7016761f3a1b6af77165160211cac479cb8e2040985fa700fdf45a3bbe43abbb9503cf669d0a7c95

    • SSDEEP

      49152:HRCizQC7ZCIMCQUG/TiHJnAl/Iqqn3TKiDfLN6AO8Lm:HRrz978IrEyJAJNqn3TDF6AO8Lm

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks