General

  • Target

    f1e8dc4b23bd6ef5c9d122bdca7f3644f5edc9092ad33602821ef7fe5a44d8ed

  • Size

    850KB

  • Sample

    240604-b7p8fahb4z

  • MD5

    2a917c289749894c0efc4cfea6b113a5

  • SHA1

    51f0d6c971e590b1e1a8625009f7997774be3a39

  • SHA256

    f1e8dc4b23bd6ef5c9d122bdca7f3644f5edc9092ad33602821ef7fe5a44d8ed

  • SHA512

    22e117b4e4c038d4864a260a9e39dfa6090c4eb9a55b34f7eaa5b51572490a1a224412736d3c4febc59ffac226e17dcd5b0639463bc971adcbee9ec48053638c

  • SSDEEP

    24576:TMYeWkeYN5i1q0YRfmu4t0b+6/laBa5GdfqWv+gA:TMYerN5ismubHlaNyWv+9

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.aykadekorasyon.com.tr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ayka2023ayka

Targets

    • Target

      f1e8dc4b23bd6ef5c9d122bdca7f3644f5edc9092ad33602821ef7fe5a44d8ed

    • Size

      850KB

    • MD5

      2a917c289749894c0efc4cfea6b113a5

    • SHA1

      51f0d6c971e590b1e1a8625009f7997774be3a39

    • SHA256

      f1e8dc4b23bd6ef5c9d122bdca7f3644f5edc9092ad33602821ef7fe5a44d8ed

    • SHA512

      22e117b4e4c038d4864a260a9e39dfa6090c4eb9a55b34f7eaa5b51572490a1a224412736d3c4febc59ffac226e17dcd5b0639463bc971adcbee9ec48053638c

    • SSDEEP

      24576:TMYeWkeYN5i1q0YRfmu4t0b+6/laBa5GdfqWv+gA:TMYerN5ismubHlaNyWv+9

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks