General

  • Target

    PO76389.exe

  • Size

    851KB

  • Sample

    240603-lvhb6sbg95

  • MD5

    b78a41cfedbd72be9cda0c2e8b456b9b

  • SHA1

    842a457a15cd9b35c930e86aa3adca801231c0c9

  • SHA256

    b43813d1e597a0633fc8693d5921688a8b189cfdc6c74fda22e42c2aefa3270c

  • SHA512

    2511b4647e030b02b3441fdf17259fa49547dead3c3b19d4a8bd04b1825d5bbe464d00cee273bd35f06a14bb66c135453e8d381bdf2b8c0fc2d5e5ba5edaecee

  • SSDEEP

    12288:PMYeaky/Qa0KP1x+kPwu9JaGYd89Lt/rFfaolj2YqEvlw7KZNy6XXSJFY/SYwkiN:PMYej0N5iYKR6XXSvY/STixHu9Iif

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.psgrasa.ir
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    mahsa730101

Targets

    • Target

      PO76389.exe

    • Size

      851KB

    • MD5

      b78a41cfedbd72be9cda0c2e8b456b9b

    • SHA1

      842a457a15cd9b35c930e86aa3adca801231c0c9

    • SHA256

      b43813d1e597a0633fc8693d5921688a8b189cfdc6c74fda22e42c2aefa3270c

    • SHA512

      2511b4647e030b02b3441fdf17259fa49547dead3c3b19d4a8bd04b1825d5bbe464d00cee273bd35f06a14bb66c135453e8d381bdf2b8c0fc2d5e5ba5edaecee

    • SSDEEP

      12288:PMYeaky/Qa0KP1x+kPwu9JaGYd89Lt/rFfaolj2YqEvlw7KZNy6XXSJFY/SYwkiN:PMYej0N5iYKR6XXSvY/STixHu9Iif

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks