General

  • Target

    2c8a3906090144a978a557057175ac9a35f3fbfe9e3656af816b315e872a0817

  • Size

    760KB

  • Sample

    240521-bxkvzadg98

  • MD5

    824eccab5d0971111499c8d8fa954ad7

  • SHA1

    47e4d29e8280a9d4e744031e90f9e7013ebf91c2

  • SHA256

    2c8a3906090144a978a557057175ac9a35f3fbfe9e3656af816b315e872a0817

  • SHA512

    cd4d13dcbdaacad9d8fa7c9bbee03b773a6159624ceb7bf143ea0159a1117a164ab123bd8672b644251d1421533ed6750f0eb4fc3b161c8bf3f8674f5752bab2

  • SSDEEP

    12288:lIgWET/mr9K+22BEEzFatn/NRUsoAkHz1NglTMaT5472NxgsgtohraXXauyR0Wlj:zWtb3BEPRcAkHzITMOa2NNxaHretJH7r

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.leema.lk
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    V[3ALIg~jl}T

Targets

    • Target

      2c8a3906090144a978a557057175ac9a35f3fbfe9e3656af816b315e872a0817

    • Size

      760KB

    • MD5

      824eccab5d0971111499c8d8fa954ad7

    • SHA1

      47e4d29e8280a9d4e744031e90f9e7013ebf91c2

    • SHA256

      2c8a3906090144a978a557057175ac9a35f3fbfe9e3656af816b315e872a0817

    • SHA512

      cd4d13dcbdaacad9d8fa7c9bbee03b773a6159624ceb7bf143ea0159a1117a164ab123bd8672b644251d1421533ed6750f0eb4fc3b161c8bf3f8674f5752bab2

    • SSDEEP

      12288:lIgWET/mr9K+22BEEzFatn/NRUsoAkHz1NglTMaT5472NxgsgtohraXXauyR0Wlj:zWtb3BEPRcAkHzITMOa2NNxaHretJH7r

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks