General

  • Target

    994f54dfc7e8da59b64ecfac8c8c377be24d06a21ccc4a17a5f856ea677d8ba2

  • Size

    1.9MB

  • Sample

    240518-j9kpqsbe6w

  • MD5

    bdcd9bedbf20b85d73c3495fe010ae2e

  • SHA1

    1b3aeb8ee65a6b45e378e9f9fb73c5662c9a9f46

  • SHA256

    994f54dfc7e8da59b64ecfac8c8c377be24d06a21ccc4a17a5f856ea677d8ba2

  • SHA512

    b54643cc8d74344adb7d1f634e8d2f360130bac29d7f6c1b148ba5c17eabea8aa3ea736dffe7b2be867a6aaa8afb5a288cd15b1bee3d9b62c642e7518f318c32

  • SSDEEP

    49152:jo9hsopxHMwjS/G6+ecZENGE+hx4g4POjvAuc:joPLpljjS/X+ecaNGEMWUvVc

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.sturmsgroup.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    y[/wk46uE}y(|Xn[

Targets

    • Target

      fad6e9d5a4474c01d122cd0b4ee707606dbbb2497980923c75f0da1c4a21f022.exe

    • Size

      4.5MB

    • MD5

      b8eb2bd0ba6a574a29fa638246ef945b

    • SHA1

      67353c5b54b108d9b9b5b803f4be373a515c365a

    • SHA256

      fad6e9d5a4474c01d122cd0b4ee707606dbbb2497980923c75f0da1c4a21f022

    • SHA512

      593b0efe3b747ff3c995f8435d290b376b3ae3ee10c5132c4a94a3ddc727d0af1cb9aba5bb5d787fe7f0cc91adde82bee23d90ee680b2dd1b3fdbfee7fe681c1

    • SSDEEP

      24576:OEM52UDlK0cu2CIvBBF8rUwvZEeVUIJbP7TKHQg+vV/tFAjydEEh4QgsPCUqt:

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks