General

  • Target

    a2af1ab3dfa43f53d50c2b2e555404a79a93352bb3be48eacafbe02385d7f5b8

  • Size

    2.3MB

  • Sample

    240519-bmv8ysag68

  • MD5

    ae254556475fdb5cbacc196456c6915e

  • SHA1

    b87480589f905a3992e67fcb7e45137135cbf994

  • SHA256

    a2af1ab3dfa43f53d50c2b2e555404a79a93352bb3be48eacafbe02385d7f5b8

  • SHA512

    00906ee1742d65e5fc6d3ffaf0e09ab91b9dcb621d281b764ab324dcf51127e5d61878dea0a3aac158babd1e66818d406a0e3966465ba1a04ffbe39c4db3e371

  • SSDEEP

    49152:g77ENwgV4bmzCH+5gPEzhM86GqfbSN/Zz9WZqOdhueP:oQNhVEH++ElfOkZz9WoOdhueP

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.apexrnun.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    CCu5Z?WuH+bS4hsz

Targets

    • Target

      a2af1ab3dfa43f53d50c2b2e555404a79a93352bb3be48eacafbe02385d7f5b8

    • Size

      2.3MB

    • MD5

      ae254556475fdb5cbacc196456c6915e

    • SHA1

      b87480589f905a3992e67fcb7e45137135cbf994

    • SHA256

      a2af1ab3dfa43f53d50c2b2e555404a79a93352bb3be48eacafbe02385d7f5b8

    • SHA512

      00906ee1742d65e5fc6d3ffaf0e09ab91b9dcb621d281b764ab324dcf51127e5d61878dea0a3aac158babd1e66818d406a0e3966465ba1a04ffbe39c4db3e371

    • SSDEEP

      49152:g77ENwgV4bmzCH+5gPEzhM86GqfbSN/Zz9WZqOdhueP:oQNhVEH++ElfOkZz9WoOdhueP

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks