General

  • Target

    image001_Lamp specification.exe

  • Size

    733KB

  • Sample

    240515-mdncjada46

  • MD5

    1a6fdd695f8aece3449e8a3c0ae8dce6

  • SHA1

    a29f523222d26cf9bdd02d990b2c03364c059cd8

  • SHA256

    ef43d00901552ea97110d68d249fb757932f3f10773f623d06ab6fe2c3e69d08

  • SHA512

    3ac8ed788f46183ea2b9dbe7a4f76b8551124bc7046ca8bc0b7d1045468ea4d64984ffbdd9f365ae8bb70df1bf97c49645d024260d58d4fd1d28e7c244380f25

  • SSDEEP

    12288:EoYMjhvPie/rByY7777777777777WhouD+VLIyI/ap0k7ohabismU92BtdA9gazh:EoYMFniyymuDOLHQSNCIMPA9ga

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.nzobaku.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    mKUrJYPDk3rTk

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      image001_Lamp specification.exe

    • Size

      733KB

    • MD5

      1a6fdd695f8aece3449e8a3c0ae8dce6

    • SHA1

      a29f523222d26cf9bdd02d990b2c03364c059cd8

    • SHA256

      ef43d00901552ea97110d68d249fb757932f3f10773f623d06ab6fe2c3e69d08

    • SHA512

      3ac8ed788f46183ea2b9dbe7a4f76b8551124bc7046ca8bc0b7d1045468ea4d64984ffbdd9f365ae8bb70df1bf97c49645d024260d58d4fd1d28e7c244380f25

    • SSDEEP

      12288:EoYMjhvPie/rByY7777777777777WhouD+VLIyI/ap0k7ohabismU92BtdA9gazh:EoYMFniyymuDOLHQSNCIMPA9ga

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks