General

  • Target

    9911742dece406745ed3fdaf47f07a346ab5d2ce30c561968dadb7a0534684de.exe

  • Size

    716KB

  • Sample

    240521-bwjaradg77

  • MD5

    e61ccd2fc9dd14a43fe0cd0fcf7e41db

  • SHA1

    22f37c3327810f945268c6f373b617da74885133

  • SHA256

    9911742dece406745ed3fdaf47f07a346ab5d2ce30c561968dadb7a0534684de

  • SHA512

    74fe56d0a40b415e8c826cda3bac115a1aca81645371c9d55dddb1aae09ed7a67ffd4d85d668a833c8033bfb177140da653127500d48394d9a08f036e97fdffe

  • SSDEEP

    12288:1WET/mr9KW0vj0sIT8VoJDgHxJvZd166LmWHB5VWFFjWryYVpCbP6xpPnH:1Wt30vjDIQoUJdKSgFaeipC2j

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.saralgumruk.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Srl--789789_

Targets

    • Target

      9911742dece406745ed3fdaf47f07a346ab5d2ce30c561968dadb7a0534684de.exe

    • Size

      716KB

    • MD5

      e61ccd2fc9dd14a43fe0cd0fcf7e41db

    • SHA1

      22f37c3327810f945268c6f373b617da74885133

    • SHA256

      9911742dece406745ed3fdaf47f07a346ab5d2ce30c561968dadb7a0534684de

    • SHA512

      74fe56d0a40b415e8c826cda3bac115a1aca81645371c9d55dddb1aae09ed7a67ffd4d85d668a833c8033bfb177140da653127500d48394d9a08f036e97fdffe

    • SSDEEP

      12288:1WET/mr9KW0vj0sIT8VoJDgHxJvZd166LmWHB5VWFFjWryYVpCbP6xpPnH:1Wt30vjDIQoUJdKSgFaeipC2j

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks