General

  • Target

    57a398dff9d4f68861c268582db4c71ed7a685e1e87e65f1e685b1acaad10c2c.rar

  • Size

    667KB

  • Sample

    240518-lbd6eadc37

  • MD5

    5a89daa1e050cba1779cde2763012b64

  • SHA1

    ef9d48ec4a12917b7d7dcdeab8fc874a18ba2fb5

  • SHA256

    57a398dff9d4f68861c268582db4c71ed7a685e1e87e65f1e685b1acaad10c2c

  • SHA512

    d449555dddb95471691bcad103d19673605d87749006b0d89d7b0238284364cfea9c6a097353707bc857b61a30fcf59e31ac2a2c54b1cd94b609f44c2ef5ade8

  • SSDEEP

    12288:cbRWTEkkRkID5X8uaZ/BRu7D69JDABhMVGdVmb2b+oHQamiA7Z2CmDB4:CyclNsxZ/BR/sBWVImqb+ymivCmDB4

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.ipr-co.org
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    IPRco@100102@

Targets

    • Target

      PO#7A68D23.exe

    • Size

      699KB

    • MD5

      7f6851319c375942e2e88afdb6b2a752

    • SHA1

      38cf3164eac0d413acd4d5b92ae1cf18139be7a6

    • SHA256

      826d8202d71324a5d3b0b76f33e8633d791e0cd0e8d1130c03a612458f9d7d77

    • SHA512

      e4e6e04eef53f714b9d1e7cd2c975cf7f3ff20d6abfb6de734b378ccdd1553e359de39707fecc53d0ef2e4020d9b1d6f68ff72d7e7575e69f9596ab6ae65ada3

    • SSDEEP

      12288:TdrLbDZaNRpndZloSEI1BzEkmZLpfy9NkgaYb2egKRBM0/RaxBLsUtJ6U8JMBQ:RLDZMRpndLwZLpaqqvgspaxtsUyZJd

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks