General

  • Target

    1301dd3fb7afbea695c0d81ca9016ddb9b0090ee3c51717a6b8b7e4206ad0208.exe

  • Size

    755KB

  • Sample

    240522-rm6mpaeb36

  • MD5

    8e04b44c3b8b8a8b6cdca6908dd8e4c3

  • SHA1

    33100246c5c088d7d4972a36752dbc840427c496

  • SHA256

    1301dd3fb7afbea695c0d81ca9016ddb9b0090ee3c51717a6b8b7e4206ad0208

  • SHA512

    c3e5f1cb43c34060c33be4a07b37e4a82b9587240a2545c42ac6f7b3e720181194769f6ae518990ea4a0e8f80694b50822c934fc14c6b60eff0c87d8b40ecbdf

  • SSDEEP

    12288:VI/WET/mr9K+22BEEzFatnnFsaAKhtSXOonGusHHsmVeS1vowVqh3Bh/ErM2SqlC:sWtb3BE5OaAKDWGuKsOeS1O3BlsM2SPF

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://eu-west-1.sftpcloud.io
  • Port:
    21
  • Username:
    91687a7459034251bf46decf042c73b6
  • Password:
    TT70ddky2yNKGpkX1I1OBsDlEcGIaUsv

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    eu-west-1.sftpcloud.io
  • Port:
    21
  • Username:
    91687a7459034251bf46decf042c73b6
  • Password:
    TT70ddky2yNKGpkX1I1OBsDlEcGIaUsv

Targets

    • Target

      1301dd3fb7afbea695c0d81ca9016ddb9b0090ee3c51717a6b8b7e4206ad0208.exe

    • Size

      755KB

    • MD5

      8e04b44c3b8b8a8b6cdca6908dd8e4c3

    • SHA1

      33100246c5c088d7d4972a36752dbc840427c496

    • SHA256

      1301dd3fb7afbea695c0d81ca9016ddb9b0090ee3c51717a6b8b7e4206ad0208

    • SHA512

      c3e5f1cb43c34060c33be4a07b37e4a82b9587240a2545c42ac6f7b3e720181194769f6ae518990ea4a0e8f80694b50822c934fc14c6b60eff0c87d8b40ecbdf

    • SSDEEP

      12288:VI/WET/mr9K+22BEEzFatnnFsaAKhtSXOonGusHHsmVeS1vowVqh3Bh/ErM2SqlC:sWtb3BE5OaAKDWGuKsOeS1O3BlsM2SPF

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks