General

  • Target

    cb6670f4f7b6a07c25f521019626dbd56cd7a2d4ffbb754769a3dc0e4fe713ec.exe

  • Size

    66KB

  • Sample

    240518-h1c3vshb4w

  • MD5

    6b922539f1cbc89ca73ac0d9bc5df9a0

  • SHA1

    b93e8aec68e05730de4b9b2abe14190f7e8f3e58

  • SHA256

    cb6670f4f7b6a07c25f521019626dbd56cd7a2d4ffbb754769a3dc0e4fe713ec

  • SHA512

    460c2d4e9a6f7c39d94c88530928436492852497f58ef95daec9a2d00d7e1921a805294044a0cfbd9ed37ef0df3a46a2b413c83eb6234fbf6f1acdeb49775014

  • SSDEEP

    1536:V04E/c6ODf/L/EYonabLDnXW+6RFJT9Z8BJQ2rs3hGH:2/7/FJBZMJQ2rpH

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      cb6670f4f7b6a07c25f521019626dbd56cd7a2d4ffbb754769a3dc0e4fe713ec.exe

    • Size

      66KB

    • MD5

      6b922539f1cbc89ca73ac0d9bc5df9a0

    • SHA1

      b93e8aec68e05730de4b9b2abe14190f7e8f3e58

    • SHA256

      cb6670f4f7b6a07c25f521019626dbd56cd7a2d4ffbb754769a3dc0e4fe713ec

    • SHA512

      460c2d4e9a6f7c39d94c88530928436492852497f58ef95daec9a2d00d7e1921a805294044a0cfbd9ed37ef0df3a46a2b413c83eb6234fbf6f1acdeb49775014

    • SSDEEP

      1536:V04E/c6ODf/L/EYonabLDnXW+6RFJT9Z8BJQ2rs3hGH:2/7/FJBZMJQ2rpH

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks