General

  • Target

    DAMAGE CARGO.7z

  • Size

    301KB

  • Sample

    240523-thc6pagf63

  • MD5

    82c172b8b01a656140709919aa699d91

  • SHA1

    81e4611cde12f02648004c2063ed32fc14e27ebb

  • SHA256

    3ba2d8ddb27f996939d08f47da5e2837778b77c015c288dde593cfc2df3a4be5

  • SHA512

    87a35cd19b4819ee8d4ebc4d2f9cc26506502ff3e30afa1ec36cd509a0546b272268dff68bc7a6181771b3402b31ac78f2e0970b42f4d3c716782afea6e756ca

  • SSDEEP

    6144:VERva6GZBtXZ7L5wAzT1GlwpbPtK/JBoxqerNvkzegl1ZeUz3ses:VnBZ7qAzTQwnoBoxqe5vS7l1Zf3ps

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.iaa-airferight.com
  • Port:
    587
  • Username:
    web@iaa-airferight.com
  • Password:
    webmaster
  • Email To:
    mail@iaa-airferight.com

Targets

    • Target

      DAMAGE CARGO.exe

    • Size

      498KB

    • MD5

      f53753567d26f08858674d27c2222e8d

    • SHA1

      06f8efd5a96b625d8966df80ee3b8f76fb3d4b0e

    • SHA256

      5eecdaf0426291c6db36cc79cba590e61248a5364197d82228da2074a7fa3bba

    • SHA512

      900b1d005e1c5ad4ad9980af5ec495c009e2a32200fd0190e56746796acac4e68f66d55a030395c938b387eaee9c34a490194ae6bc2bca4e1e4b265a46192bb2

    • SSDEEP

      12288:imo2oiXB/6DuKf8I6niPW/Q5f7rzYP7r9r/+pppppppppppppppppppppppppppv:73XlnKf8Uayo1q

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Collection

Data from Local System

4
T1005

Tasks