General

  • Target

    f160831f875a33c95c113ad1258159739f41cbcf7f327f6a8014de3212b12425

  • Size

    580KB

  • Sample

    240523-cztrbsah52

  • MD5

    dda8d21619a651014a7b940687eb917c

  • SHA1

    e741b2847c3c3d82264bbca8f2ad205727bce43e

  • SHA256

    f160831f875a33c95c113ad1258159739f41cbcf7f327f6a8014de3212b12425

  • SHA512

    25a8930a25c9299d35ba9d1ad700dfd5cbe87ee16f8e53a6e120685d60929a9b8b7cedb196c13e889bdb0b49651788ccdf839dc7a1dae8fa61fdf9bd93341ba7

  • SSDEEP

    12288:IhdGm25dL7dWqz6RniYEgWgZO68QZ4aS1R04fYev6Qo398r+vYqrjcOmOQFeC0:EdGmmlhWS6bEB8O68QZ4aSn0qYev6l3Z

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.window10server.com
  • Port:
    587
  • Username:
    topsecret@window10server.com
  • Password:
    6oJwe0Mg7pNWEVD
  • Email To:
    findme@window10server.com

Targets

    • Target

      vessel_documents_220524_pdf.exe

    • Size

      1004KB

    • MD5

      f9a051bb69d81d56a813cb7c1b9723ca

    • SHA1

      48bc5e261d86fd13f381fdd8d99543f2e04f8d74

    • SHA256

      9a85f60d0a9c5ed32f0a0e8717769f82bf796a7fec9efc5826adb170d5742682

    • SHA512

      7cb35b72921599ceb1d239c356fe8ed08da1bf851d238df102ae373553754b7bcd41d2ba19e6a6504ef9a92ba0dc44f84eeb598016abdc2b48f4d3cbe2d3fa2b

    • SSDEEP

      24576:bAHnh+eWsN3skA4RV1Hom2KXMmHa4eHljd25:2h+ZkldoPK8Ya4eFS

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks