General

  • Target

    f6ad67ef349b0abb039ce734f8cb09ccd46762c26465828d0c10317ad4f998c4.exe

  • Size

    702KB

  • Sample

    240518-k2jyxach25

  • MD5

    7d55f80ea0077d049ce1657c2f1a1910

  • SHA1

    aecbeece21de6815956b617090983661761fcc0b

  • SHA256

    f6ad67ef349b0abb039ce734f8cb09ccd46762c26465828d0c10317ad4f998c4

  • SHA512

    75148431f1e32b6d45dfcf4b7681e27bbb773c0c74f7953db5505032ab38307dcb0007a52754401011f823c55e12e7166819b77fc4cd16500db6c548241ab59d

  • SSDEEP

    12288:/drLbDZaNRpFxa2UzbNaxlxEAuWEnwPF1fQmMclQ5LWKu2tasNuCHbb8OoVvisTR:lLDZMRpFxCbKENWEnafNMclQ5624swCS

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.farm-valley.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Businessvalley@2020

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      f6ad67ef349b0abb039ce734f8cb09ccd46762c26465828d0c10317ad4f998c4.exe

    • Size

      702KB

    • MD5

      7d55f80ea0077d049ce1657c2f1a1910

    • SHA1

      aecbeece21de6815956b617090983661761fcc0b

    • SHA256

      f6ad67ef349b0abb039ce734f8cb09ccd46762c26465828d0c10317ad4f998c4

    • SHA512

      75148431f1e32b6d45dfcf4b7681e27bbb773c0c74f7953db5505032ab38307dcb0007a52754401011f823c55e12e7166819b77fc4cd16500db6c548241ab59d

    • SSDEEP

      12288:/drLbDZaNRpFxa2UzbNaxlxEAuWEnwPF1fQmMclQ5LWKu2tasNuCHbb8OoVvisTR:lLDZMRpFxCbKENWEnafNMclQ5624swCS

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks