General

  • Target

    b575c5381b605dce02a5c93a5c3c479db2ded4d0c33f9fede1921c2a87aa185b.gz

  • Size

    649KB

  • Sample

    240604-b759nahb6y

  • MD5

    2d0666f089efe192b7488e33c0456090

  • SHA1

    da4a5610e1e6d3005e3f4320f6078b57da5a5d4d

  • SHA256

    b575c5381b605dce02a5c93a5c3c479db2ded4d0c33f9fede1921c2a87aa185b

  • SHA512

    d2a55b65c0a12620f6ab9998af03530de966fd771c434b7cc5319554f5d57d878a89111ebc03080262fa4e8c7666d74c178790bf783849e40d2510ff259889d3

  • SSDEEP

    12288:qKBcaYmxNzvPGp7rKrRSxv7NaeKoAHLDuCYu5cITfGic8Vw:qKBdlvPA7GgparoADuCT5a8Vw

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.bonnyriggdentalsurgery.com.au
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Sages101*

Targets

    • Target

      PO82107048.exe

    • Size

      719KB

    • MD5

      523007bc2f106dabe9057f0096aa53c3

    • SHA1

      0fd9b3ec5d55916890ce35e8dd47cb6b919576dc

    • SHA256

      f303624986bcad8a2b4dcf857b5fc82f54c933082c0849dd633e9c1651afde98

    • SHA512

      8a2b229f91de9f9ff51af03dd472e3c9ca4e8da23e80388fd153b49ae1d586958cb7ba135918667573ff6c5c942253fe3c59ffb99ca82b92abd0d125cbebe011

    • SSDEEP

      12288:JKqKt/rFfabVtOQvNHMF5iH7cawlJTDGk94h6gXjc6RGc5aJzhkZ+kR:MqKN5ibCQvRG5iH7caMDGgujTR5aJzh+

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks