General

  • Target

    c2cd39749446ec1143a7cee483a189aa3d6f875eca52add69e54ec860c9a8827

  • Size

    677KB

  • Sample

    240518-j8592sbe27

  • MD5

    0d7d363efb871cf9e0d90171459a14af

  • SHA1

    a684f07da63832a6bdad69d805a31e244717f3a6

  • SHA256

    c2cd39749446ec1143a7cee483a189aa3d6f875eca52add69e54ec860c9a8827

  • SHA512

    0bd9dcb0d9d2b6bd4ad5e0d182be921ef52ff94564dadd3a0f705f074d1fdaa6411197ec25a89a2109f48a497abe25f86c7295c3e53feed7c39700c4b70511b3

  • SSDEEP

    12288:eifQ2qj4vR9RCeRfyPlpIzeE/RUGW1GMOZR9bREzl/PRv1+Jvz7I/OwyJZ:ei42qjmw4fy9qzeE/RTnT9bSzl/x1QcS

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.erbagelektronik.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Erbag2024!**

Targets

    • Target

      32909bbd3c2dbe9566f238899fbceabb22c90d58cebfd60b83683fdde4634703.exe

    • Size

      708KB

    • MD5

      e7d4d2b32cdebd6cabe35743ebb18cea

    • SHA1

      0bc43b55e25f9959b47cd54444c10564a576b460

    • SHA256

      32909bbd3c2dbe9566f238899fbceabb22c90d58cebfd60b83683fdde4634703

    • SHA512

      be5079b801f30a88dc5a57c959fc200b7255a6f55cc25394f1f5c5e496ade11f1881ac5174fac080fa684ac7b767dcdf8b59f02e42360e7c3fc094e593707a85

    • SSDEEP

      12288:80pei36RcrhK2VAJZV5ZUARp3tbQ8LhzOn8mmjNkQ6eps1QRKY4506:/pp36KrZVAJZVwA3a8L5Nj6FeC1+KY45

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks