General

  • Target

    checklist.7z

  • Size

    301KB

  • Sample

    240523-thcvxsgf62

  • MD5

    4bc063b598b0ffef09e38d7a3680f9f0

  • SHA1

    78bfc209c845543e952a82dbbd6538efae5ca3fb

  • SHA256

    dd1077fffd212f1e8d1515a98ef66393a84064553bb9556a7a577f3fc6fefb3c

  • SHA512

    0c769ef4eb59c19576160c997d0bbd1a7ef5ee3cbcc2ae5283bad2ba1c71cdf8fb006004a0b56e0193cb3fbef769967e6a5e67a8c0303ecba406ad02a43e2bab

  • SSDEEP

    6144:PERva6GZBtXZ7L5wAzT1GlwpbPtK/JBoxqerNvkzegl1ZeUz3ses:PnBZ7qAzTQwnoBoxqe5vS7l1Zf3ps

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.iaa-airferight.com
  • Port:
    587
  • Username:
    web@iaa-airferight.com
  • Password:
    webmaster
  • Email To:
    mail@iaa-airferight.com

Targets

    • Target

      checklist.exe

    • Size

      498KB

    • MD5

      f53753567d26f08858674d27c2222e8d

    • SHA1

      06f8efd5a96b625d8966df80ee3b8f76fb3d4b0e

    • SHA256

      5eecdaf0426291c6db36cc79cba590e61248a5364197d82228da2074a7fa3bba

    • SHA512

      900b1d005e1c5ad4ad9980af5ec495c009e2a32200fd0190e56746796acac4e68f66d55a030395c938b387eaee9c34a490194ae6bc2bca4e1e4b265a46192bb2

    • SSDEEP

      12288:imo2oiXB/6DuKf8I6niPW/Q5f7rzYP7r9r/+pppppppppppppppppppppppppppv:73XlnKf8Uayo1q

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Collection

Data from Local System

4
T1005

Tasks