General

  • Target

    12e9c03a5e683f32479be9a2b03e8c3c02d13de0c951f8832ef4814f3e21b508

  • Size

    2.7MB

  • Sample

    240604-byqslshd58

  • MD5

    08200de79c23e9bc76c61605701efeef

  • SHA1

    e868aad37ba389f6ca61bb58e9d2fb5c0b35f8c4

  • SHA256

    12e9c03a5e683f32479be9a2b03e8c3c02d13de0c951f8832ef4814f3e21b508

  • SHA512

    9b03349d59dbab54a9b12061cb47bad5cdce96c19aabaa1a36a6e1150b6a68d2ce4d3847a2a91d88e8b8c726bf0cd1bd30a84ab62ed69a9b857cead4c1f70245

  • SSDEEP

    49152:1MnjosT5h82MTAttVzfSfy//lKqXvQYBYMfzkN9nBKslZGQDVEuBb77FqUkC2eaD:WjTNVbttJq2lKYzk/BKslAGbXIUkbezk

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.gencoldfire.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    U+&%W@y1mSEUOinP

Targets

    • Target

      ryMblnsuw.exe

    • Size

      2.7MB

    • MD5

      427989058148c362cd9700676af2d0ab

    • SHA1

      f6c751378092726a9a935c845b71b45d839fa55d

    • SHA256

      f17124a24df7513eec26b3ee2c727e3befe328c6baba11ee546e0d230c6f49af

    • SHA512

      eaf9a904208601b441bb58250942dbd3141c68ce8d957c616612b496de2e3525284364544b7bbda4de8cc3e96dff845392252c9dc3956301f218e22e231792b1

    • SSDEEP

      49152:XUD4gT1/8cETQ7FVz3ifenvluqlD8WzogfDujvnDyslzmQLXWQBd7N3qUUsgQaIm:kDj5tR7FJyklMMDuTDyslasd5aUUxQds

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks