General

  • Target

    21a48dddb72c624a2987ce341ab3c2a8ddf4055ee6f0fc3b2fa2da34bea73b08.rar

  • Size

    1.1MB

  • Sample

    240523-bkczlaga3w

  • MD5

    1e7c944c17fc26d4e73bc87a4a817923

  • SHA1

    6c34decb0eb8bdb6851fd4f1ecb2efe28e3807ec

  • SHA256

    21a48dddb72c624a2987ce341ab3c2a8ddf4055ee6f0fc3b2fa2da34bea73b08

  • SHA512

    dda0ce88ef3e6e550429163ff3fdef7b0c4da853fba444005b13377a9881b9af9381675e174abbcb58bf73e481f1af9442415631dc19e1292c308d8b91c26324

  • SSDEEP

    24576:jARy3OqnUUiiYta5+eiXxKi0H4qlMfsmX6YqD8C2XIP6:MRYUUin05+eNbMfsmJy8lYy

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    BTwcMq@2

Targets

    • Target

      Sipariş PO #408232023_ZNG İstanbul_pdf.exe

    • Size

      2.5MB

    • MD5

      f55d77a9d704af55b0797de1435706e3

    • SHA1

      93010de39c5e434291a439b65f6eb381b741edf3

    • SHA256

      5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508

    • SHA512

      0ad087c8a2290f890cb58535958566cf6a814415c58f20742d3074d27cd0e4e31f5f3d3a0a4945ec675c84ad99f9894c184ff69fcb702d19443a83729b19bddb

    • SSDEEP

      49152:VP6hSrcCPT0J6Lg31+mYGnKDVTXShVr7oL:2ujRmYGnKDVTOr

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks