General

  • Target

    f01a3a3a9c895b320ef5cd519cf30eb3.bin

  • Size

    307KB

  • Sample

    240519-bytjhabf73

  • MD5

    6e024229841bf51610a1d273566a6d29

  • SHA1

    65867f7696cf93c08fa4b5607957943c570ebb42

  • SHA256

    3b076212486a6a1a1c9c5c8dce0ed2b0493b4a1368446352b0d4731ec9cba4a6

  • SHA512

    2ce53f50363c8b4b25a5f929df5b1f765372ffb85b5fe3fb47aaf5cfac429c7421917691941164d2fca52ad644eaa546a619eb63657ffff10926b49842151a4a

  • SSDEEP

    6144:QbHiYG3vxx8ZEKspsCVg1vmY8aebPj0CV5vJ8hOpcnysU:EiYG3pw+/VwmYferj0a5vuhOpcnK

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      0c33297e293bffec0a5728c9553044a89b5b4ef7389b2a45fb460dbc0fdf838a.exe

    • Size

      491KB

    • MD5

      f01a3a3a9c895b320ef5cd519cf30eb3

    • SHA1

      2bf14991c94bcc27043cfd0908d3c7df3064ae3a

    • SHA256

      0c33297e293bffec0a5728c9553044a89b5b4ef7389b2a45fb460dbc0fdf838a

    • SHA512

      105b77f75ea1a3101e834744e310791a767529acf6c5bf949833b39efa9fe93b21a1062847e7ad15521fbedb7fe05c3c539b8c7e5cb7c51047091c213284b7e7

    • SSDEEP

      12288:aM5FVuS1Ow2nQARhG3HYoOw8P7r9r/+ppppppppppppppppppppppppppppp0G:3AS1F2nBDFZ1q

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks