General

  • Target

    39c7d172a93ec92a91e80c7089cf870b.bin

  • Size

    10KB

  • Sample

    240519-bhe16sac2x

  • MD5

    779c495bacbedea9ee54263ada1a8965

  • SHA1

    5c6dff5c5993d54aabd222d45a890c44f355e19c

  • SHA256

    76ff5f34fa78006077eaf7c29cd3f1f9b69fa529fb350918d84baab06ceca85b

  • SHA512

    59497b094edfc617e116ba426d74c2feb76cd603085843df3d03933c46873672396a10f187a8d0205c0b1689b1cfe0c59345111f34c2eb0e7765fd4e1f6871e4

  • SSDEEP

    192:xD8MHJrK0zIKXg2UieYeRiyHEEvRDy4JGO426QJz9O8ARnONfLai:xvHJ9vDUBYMhEEv9BC26QJiWj

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      IMG_579710265.exe

    • Size

      22KB

    • MD5

      57e9834d71244b6add226a796c8af38d

    • SHA1

      d4e23fd9b4046a8ce53edeb4b5e84c46e6c5deeb

    • SHA256

      0a4827e189c37e36ca441ef495dc1e6c71c076d873e6b7d696c79339ad3b6c38

    • SHA512

      2580181a7e256322e1139a293295e07602ebbad0b295c9212134b07d6ca121a8c9e2d9905ef5b6848120c7c0c19e044d5dbead27c9a334bdd993ed97fad77da0

    • SSDEEP

      384:bofKwx9ivWJwuZa1DZTeCl8Heq79nYPLpFzDGHJzOFzDGsT8JN77hhQ33:cywxbJVmh2HeI9EBDGpzOBDGsI3hGH

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks