General

  • Target

    826d8202d71324a5d3b0b76f33e8633d791e0cd0e8d1130c03a612458f9d7d77.exe

  • Size

    699KB

  • Sample

    240518-k7hyssda68

  • MD5

    7f6851319c375942e2e88afdb6b2a752

  • SHA1

    38cf3164eac0d413acd4d5b92ae1cf18139be7a6

  • SHA256

    826d8202d71324a5d3b0b76f33e8633d791e0cd0e8d1130c03a612458f9d7d77

  • SHA512

    e4e6e04eef53f714b9d1e7cd2c975cf7f3ff20d6abfb6de734b378ccdd1553e359de39707fecc53d0ef2e4020d9b1d6f68ff72d7e7575e69f9596ab6ae65ada3

  • SSDEEP

    12288:TdrLbDZaNRpndZloSEI1BzEkmZLpfy9NkgaYb2egKRBM0/RaxBLsUtJ6U8JMBQ:RLDZMRpndLwZLpaqqvgspaxtsUyZJd

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.ipr-co.org
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    IPRco@100102@

Targets

    • Target

      826d8202d71324a5d3b0b76f33e8633d791e0cd0e8d1130c03a612458f9d7d77.exe

    • Size

      699KB

    • MD5

      7f6851319c375942e2e88afdb6b2a752

    • SHA1

      38cf3164eac0d413acd4d5b92ae1cf18139be7a6

    • SHA256

      826d8202d71324a5d3b0b76f33e8633d791e0cd0e8d1130c03a612458f9d7d77

    • SHA512

      e4e6e04eef53f714b9d1e7cd2c975cf7f3ff20d6abfb6de734b378ccdd1553e359de39707fecc53d0ef2e4020d9b1d6f68ff72d7e7575e69f9596ab6ae65ada3

    • SSDEEP

      12288:TdrLbDZaNRpndZloSEI1BzEkmZLpfy9NkgaYb2egKRBM0/RaxBLsUtJ6U8JMBQ:RLDZMRpndLwZLpaqqvgspaxtsUyZJd

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks