General

  • Target

    01b2950054c323053588464b4ccd6525e50f7a0de4616af228368b5e750a7d6b.7z

  • Size

    298KB

  • Sample

    240518-lywnzaec5w

  • MD5

    122d62004392a5e26d7c14139972039c

  • SHA1

    516bdf60b838df5c1182d0eb4c135b94127c2d7a

  • SHA256

    01b2950054c323053588464b4ccd6525e50f7a0de4616af228368b5e750a7d6b

  • SHA512

    5cb74ddc358c9d01325e80bf4b489fe03a4edc2cbbb96cd0e48e1869b50a2807e76f59ca6272a7fc77e871fc0f6530bfbdebfc3a1e4386c0c84938b0f0aa0735

  • SSDEEP

    6144:f6FR1TrpkmR4qTHBQkpaezzVXb9RvwtiBytDNwTcIwt3:yFHTrpkbQHBdVXbb4tpDSoIc

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      shipment invoice.exe

    • Size

      491KB

    • MD5

      f01a3a3a9c895b320ef5cd519cf30eb3

    • SHA1

      2bf14991c94bcc27043cfd0908d3c7df3064ae3a

    • SHA256

      0c33297e293bffec0a5728c9553044a89b5b4ef7389b2a45fb460dbc0fdf838a

    • SHA512

      105b77f75ea1a3101e834744e310791a767529acf6c5bf949833b39efa9fe93b21a1062847e7ad15521fbedb7fe05c3c539b8c7e5cb7c51047091c213284b7e7

    • SSDEEP

      12288:aM5FVuS1Ow2nQARhG3HYoOw8P7r9r/+ppppppppppppppppppppppppppppp0G:3AS1F2nBDFZ1q

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks