General

  • Target

    f3f16394e19924cab07947150440a98afe830eed093d28a5c1864749f334c7df

  • Size

    1.3MB

  • Sample

    240521-b3dzlsea77

  • MD5

    299e7498a9dea3b12e0c70872b69368b

  • SHA1

    e6161b31c7672d7f66d052b48b1ab026481329e2

  • SHA256

    f3f16394e19924cab07947150440a98afe830eed093d28a5c1864749f334c7df

  • SHA512

    f9a3f7d0270c3b1a14f5bb27256ab070068b5942a7154d0ee2bc2b91f38ba60e9e2d67a0cd691a29bbdadc57d4486004f60037be57e005dd2067698a451b929c

  • SSDEEP

    24576:MWtb3BECGZup4YNqyDU/ak0VC+Gx9l/UKz:nZBEC+hYcl0VC+GHl/Tz

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    cozuns.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Ku;_MUOVC3;E

Targets

    • Target

      OSW10953T8I3N.exe

    • Size

      758KB

    • MD5

      2324eb726442477fd815ef208dea89d8

    • SHA1

      384b147072ae53249a6141fd12ae99f29c45c77f

    • SHA256

      3638e246dffc1c3aa6feb42adfe4fa4f57ea73cbcc6da8767a1b08db70670009

    • SHA512

      4eaef4a02e46fa68e9ae042cc23717afe78caf228613b85fd89fdd1a63f43bf8d82738bd904a6532d38c64a8c8e44ce182b001fe806deceb732f9a0e93680beb

    • SSDEEP

      12288:7IsWET/mr9K+22BEEzFatnAGC8fup4YNEaayCwg7/akeCIgJmCVJKG9Hn9l/0VTy:hWtb3BECGZup4YNqyDU/ak0VC+Gx9l/X

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks