General

  • Target

    0a2e15ef489a2fa6b6501f027c8caadba58806fc5fe5e9f5d1e93ef88306b3e7

  • Size

    668KB

  • Sample

    240523-c51f3aah81

  • MD5

    082a410f9462e6fe803f9ada5790c163

  • SHA1

    67ed95a84701ac9dfafc84c23fb68fb1cc759f9d

  • SHA256

    0a2e15ef489a2fa6b6501f027c8caadba58806fc5fe5e9f5d1e93ef88306b3e7

  • SHA512

    e2b924b63245d55ce1b0394649276953f7cfb82c0610adb9a6689e301f462019665ad1bd4ff677c2569d2eac4d7519b7708bf2657923bfcd2071f5d0eff9d7cb

  • SSDEEP

    12288:11YifTgP490tNY6W/TIQE7OSPl7I36+uiGYwV/Zsy/MjJBpKH6Grsb:EikaIYS9fR3EJuH6f

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.transafricamotors.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    emails@tam

Targets

    • Target

      0a2e15ef489a2fa6b6501f027c8caadba58806fc5fe5e9f5d1e93ef88306b3e7

    • Size

      668KB

    • MD5

      082a410f9462e6fe803f9ada5790c163

    • SHA1

      67ed95a84701ac9dfafc84c23fb68fb1cc759f9d

    • SHA256

      0a2e15ef489a2fa6b6501f027c8caadba58806fc5fe5e9f5d1e93ef88306b3e7

    • SHA512

      e2b924b63245d55ce1b0394649276953f7cfb82c0610adb9a6689e301f462019665ad1bd4ff677c2569d2eac4d7519b7708bf2657923bfcd2071f5d0eff9d7cb

    • SSDEEP

      12288:11YifTgP490tNY6W/TIQE7OSPl7I36+uiGYwV/Zsy/MjJBpKH6Grsb:EikaIYS9fR3EJuH6f

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Collection

Data from Local System

4
T1005

Tasks