General

  • Target

    19052024_0210_16052024_IMG_011160528.7z

  • Size

    27KB

  • Sample

    240519-clxk3adc63

  • MD5

    90184b17fa2d0f7771382a1dc43434b1

  • SHA1

    fd0cc4b8a5f911039a292b35dc64b25eb5b38a79

  • SHA256

    43838a45bee0933aa37d516f28180fc23f48db6a47a58cf0613f564edb8846e9

  • SHA512

    44ceb3c27fe9ebaf00c0040d4b4f2bd934d25cecb57b8518f9b31ccc86065c905ef9a538a864fe39a6451db105136d9ae9499e561dc579ae8f36333559716f17

  • SSDEEP

    768:6n5Auzt8mmAfyDyw52znT/wWuNcfp5TkcQfD+3NT:3uzMAaOwanTo5iRicQ0h

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      IMG_011160528.exe

    • Size

      66KB

    • MD5

      6b922539f1cbc89ca73ac0d9bc5df9a0

    • SHA1

      b93e8aec68e05730de4b9b2abe14190f7e8f3e58

    • SHA256

      cb6670f4f7b6a07c25f521019626dbd56cd7a2d4ffbb754769a3dc0e4fe713ec

    • SHA512

      460c2d4e9a6f7c39d94c88530928436492852497f58ef95daec9a2d00d7e1921a805294044a0cfbd9ed37ef0df3a46a2b413c83eb6234fbf6f1acdeb49775014

    • SSDEEP

      1536:V04E/c6ODf/L/EYonabLDnXW+6RFJT9Z8BJQ2rs3hGH:2/7/FJBZMJQ2rpH

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks