General

  • Target

    2660-8-0x0000000005480000-0x00000000054F6000-memory.dmp

  • Size

    472KB

  • Sample

    240522-gpnvjsee2t

  • MD5

    e3b9dd2206d777134e43b0aaeac631cf

  • SHA1

    f8c40eba57dc7eb20dad3875fd5e9f3da651256e

  • SHA256

    604a53ef64abeb21ad5ea74b794485fc9719d51575d77bcf0ba8ec5e3c60ec55

  • SHA512

    fa70fa7efa37783dd2f2aab2caec99d1d3d3d77447e652571a8841f62694020d80ad9af2d3f0b8b1284f53c76a1d1e3e37d44237bcd8527e788eb86144e2a666

  • SSDEEP

    12288:QGOzvLvzFvHJGPN5MP7r9r/+ppppppppppppppppppppppppppppp0G:szvLvzFQk1q

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.medicalhome.com.pe
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    MHinfo01

Targets

    • Target

      2660-8-0x0000000005480000-0x00000000054F6000-memory.dmp

    • Size

      472KB

    • MD5

      e3b9dd2206d777134e43b0aaeac631cf

    • SHA1

      f8c40eba57dc7eb20dad3875fd5e9f3da651256e

    • SHA256

      604a53ef64abeb21ad5ea74b794485fc9719d51575d77bcf0ba8ec5e3c60ec55

    • SHA512

      fa70fa7efa37783dd2f2aab2caec99d1d3d3d77447e652571a8841f62694020d80ad9af2d3f0b8b1284f53c76a1d1e3e37d44237bcd8527e788eb86144e2a666

    • SSDEEP

      12288:QGOzvLvzFvHJGPN5MP7r9r/+ppppppppppppppppppppppppppppp0G:szvLvzFQk1q

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks