General

  • Target

    e13b63573cfb98b8edb49f0394ed6ae15be523235c2fd9d2b33fe90d808e4f00.exe

  • Size

    225KB

  • Sample

    240518-le78nadd59

  • MD5

    599347430dd6552927d556caec60b859

  • SHA1

    e7e9befb641bf95e3a715b03521295bb45905704

  • SHA256

    e13b63573cfb98b8edb49f0394ed6ae15be523235c2fd9d2b33fe90d808e4f00

  • SHA512

    34ed16ed0b660e1567da5ca08b64c6fbc7550a930a659d75f95b3f1ad213b0ee765464f9794181d3e00d4f20a373db311e22f007c4026e074224baa69b820dc1

  • SSDEEP

    6144:oiucV67BBEzUbqe/PIx1XCbsCd093POgCL2Mg1:oiuLBOCdkcQ

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      e13b63573cfb98b8edb49f0394ed6ae15be523235c2fd9d2b33fe90d808e4f00.exe

    • Size

      225KB

    • MD5

      599347430dd6552927d556caec60b859

    • SHA1

      e7e9befb641bf95e3a715b03521295bb45905704

    • SHA256

      e13b63573cfb98b8edb49f0394ed6ae15be523235c2fd9d2b33fe90d808e4f00

    • SHA512

      34ed16ed0b660e1567da5ca08b64c6fbc7550a930a659d75f95b3f1ad213b0ee765464f9794181d3e00d4f20a373db311e22f007c4026e074224baa69b820dc1

    • SSDEEP

      6144:oiucV67BBEzUbqe/PIx1XCbsCd093POgCL2Mg1:oiuLBOCdkcQ

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      be2621a78a13a56cf09e00dd98488360

    • SHA1

      75f0539dc6af200a07cdb056cddddec595c6cfd2

    • SHA256

      852047023ba0cae91c7a43365878613cfb4e64e36ff98c460e113d5088d68ef5

    • SHA512

      b80cf1f678e6885276b9a1bfd9227374b2eb9e38bb20446d52ebe2c3dba89764aa50cb4d49df51a974478f3364b5dbcbc5b4a16dc8f1123b40c89c01725be3d1

    • SSDEEP

      192:eB2HS+ihg200uWz947Wzvxu6v0MI7JOde+Ij5Z77dslFsE+:3S62Gw947ExuGDI7J8EF7KIE

    Score
    3/10
    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      635a4d7f264997f031324ffb27c7abae

    • SHA1

      99e86ddd2c896790dc4273b37bcb1d7d8ec2c390

    • SHA256

      5494025d21648fdb824a9f4c66d539b17283c7301bb1acbce62af8445173eee1

    • SHA512

      3d293febfba641692a2cb996c3233f01781b1596b1f373181394fddaafd23608eb8ec06e1e6651c0605c2cea5a83275ec939859d529cf99055aa0e3f108f5ac2

    • SSDEEP

      96:07fhZwXd8KgEbAa9PweF1WxD8ZLMJGgmkN738:pN8KgWAuLWxD8ZAGgmkN

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks