General

  • Target

    3e48be9810d15d89af5f0998711cfcfe8d0c91f8056001fbd1c33632a57ce64d.exe

  • Size

    205KB

  • Sample

    240515-bmdznsac84

  • MD5

    aeeb6a8f7b4f4e465b3ce9dc62ec024e

  • SHA1

    e6b8fb14f9cf2f524ae706fbf1bbdf91b7615e76

  • SHA256

    3e48be9810d15d89af5f0998711cfcfe8d0c91f8056001fbd1c33632a57ce64d

  • SHA512

    a2aa125e2f927dc3336e444fd0be9a8519c42480173f90a2f677d6d5433187bcd51d99b5637006576ea7ef751c1b7024a53840833104df2698fd03ae0ec3ab3e

  • SSDEEP

    3072:44NnCDDRvLGprOAOkGt6+duWA/t/SHUebbxCbGgKk12qk/FPYm21KLbDoUssNXN2:1stvLGcxLbMUMK21H

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    66.29.151.236
  • Port:
    587
  • Username:
    sendahelpde@coleoffice.shop
  • Password:
    s9jjoVvaZchS
  • Email To:
    helpdesk@coleoffice.shop

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    66.29.151.236
  • Port:
    587
  • Username:
    sendahelpde@coleoffice.shop
  • Password:
    s9jjoVvaZchS

Targets

    • Target

      3e48be9810d15d89af5f0998711cfcfe8d0c91f8056001fbd1c33632a57ce64d.exe

    • Size

      205KB

    • MD5

      aeeb6a8f7b4f4e465b3ce9dc62ec024e

    • SHA1

      e6b8fb14f9cf2f524ae706fbf1bbdf91b7615e76

    • SHA256

      3e48be9810d15d89af5f0998711cfcfe8d0c91f8056001fbd1c33632a57ce64d

    • SHA512

      a2aa125e2f927dc3336e444fd0be9a8519c42480173f90a2f677d6d5433187bcd51d99b5637006576ea7ef751c1b7024a53840833104df2698fd03ae0ec3ab3e

    • SSDEEP

      3072:44NnCDDRvLGprOAOkGt6+duWA/t/SHUebbxCbGgKk12qk/FPYm21KLbDoUssNXN2:1stvLGcxLbMUMK21H

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.