General

  • Target

    28e103aedf6189b6ceeede328e835bb0_NEIKI

  • Size

    2.2MB

  • Sample

    240508-kakq5abc91

  • MD5

    28e103aedf6189b6ceeede328e835bb0

  • SHA1

    797f0a0b49b47d307b132b2b98359fae652bdcf9

  • SHA256

    897a936cf95738f343eba3cbd4bbfc99504c08b6dec488a6e0d532ca6e3a5eae

  • SHA512

    8022dbf51f64873e6079eb453ed9fd4c17ec52ea1b41ac6f60585ce5efb632dd583974bd5ba5eb2e162ba8be37e34c44b49f9a44345f5fa2555660a7fd6dcadf

  • SSDEEP

    49152:32Zv4kXMao68qLx3nAefDg5QBJPwdQAs/DNNHwkznzpgcgF/FD+:32K68qLx3AsDgeB54s7t1gc0/FD

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.id-net.fr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    zhi33

Targets

    • Target

      28e103aedf6189b6ceeede328e835bb0_NEIKI

    • Size

      2.2MB

    • MD5

      28e103aedf6189b6ceeede328e835bb0

    • SHA1

      797f0a0b49b47d307b132b2b98359fae652bdcf9

    • SHA256

      897a936cf95738f343eba3cbd4bbfc99504c08b6dec488a6e0d532ca6e3a5eae

    • SHA512

      8022dbf51f64873e6079eb453ed9fd4c17ec52ea1b41ac6f60585ce5efb632dd583974bd5ba5eb2e162ba8be37e34c44b49f9a44345f5fa2555660a7fd6dcadf

    • SSDEEP

      49152:32Zv4kXMao68qLx3nAefDg5QBJPwdQAs/DNNHwkznzpgcgF/FD+:32K68qLx3AsDgeB54s7t1gc0/FD

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks