General

  • Target

    152f005354a28b7fbcd869ac2b987fb245511e9cd8d2754cf182bf8a6ab9e049

  • Size

    650KB

  • Sample

    240604-b913qaaa32

  • MD5

    31c8c9df1d4dfb3c2e84e2bd1b097ce4

  • SHA1

    a9c32297a2601157495d7c6652b4e6499eac0b54

  • SHA256

    152f005354a28b7fbcd869ac2b987fb245511e9cd8d2754cf182bf8a6ab9e049

  • SHA512

    c090f525477c612891f64d97d7cbae14545eb25ff4c6dae6495cff01f220425b32c3e9c663b7037d1f03a7f43f0377d38b7971dfa738a0ed0cf5a0bcc9be7e38

  • SSDEEP

    12288:WRlSjjs+2F1zqmsH5Zw1naG2TfDmlC3LJ/GA1Ei+Lsz60QoBU3BYXvrv:EOjg1ziZZqa1q6LJ/r1ELLszv23uXj

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.naubahar.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Hum$885+Nn

Targets

    • Target

      Draft BL.exe

    • Size

      716KB

    • MD5

      f7a73c5c4c58ad1d6fb1e4fa256b6519

    • SHA1

      c671eabddd1322772794735553b5e8303fa61c8c

    • SHA256

      eeb35fdb0bbdb0630618aadd914500994ff49458daf53c2e143c4cd5316483e2

    • SHA512

      b877aae032265b4fc270185e4b473210bc908bf34d6b2289e3e2258e364d884caa5008909a4f9401f8fa1e23cc6c3472dc42e67b876f352c787bb3a281e3a9d5

    • SSDEEP

      12288:quWKt/rFfaztYIHnZE17gG2XRTmzCZL1VKNqpfup3iigQG0Ht9o9i3hz1ya6kR:FWKN5i5HZIgfaCL1VBpfuzLHt9oI3hgs

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks