General

  • Target

    eeb35fdb0bbdb0630618aadd914500994ff49458daf53c2e143c4cd5316483e2

  • Size

    716KB

  • Sample

    240604-caabdsaa38

  • MD5

    f7a73c5c4c58ad1d6fb1e4fa256b6519

  • SHA1

    c671eabddd1322772794735553b5e8303fa61c8c

  • SHA256

    eeb35fdb0bbdb0630618aadd914500994ff49458daf53c2e143c4cd5316483e2

  • SHA512

    b877aae032265b4fc270185e4b473210bc908bf34d6b2289e3e2258e364d884caa5008909a4f9401f8fa1e23cc6c3472dc42e67b876f352c787bb3a281e3a9d5

  • SSDEEP

    12288:quWKt/rFfaztYIHnZE17gG2XRTmzCZL1VKNqpfup3iigQG0Ht9o9i3hz1ya6kR:FWKN5i5HZIgfaCL1VBpfuzLHt9oI3hgs

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.naubahar.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Hum$885+Nn

Targets

    • Target

      eeb35fdb0bbdb0630618aadd914500994ff49458daf53c2e143c4cd5316483e2

    • Size

      716KB

    • MD5

      f7a73c5c4c58ad1d6fb1e4fa256b6519

    • SHA1

      c671eabddd1322772794735553b5e8303fa61c8c

    • SHA256

      eeb35fdb0bbdb0630618aadd914500994ff49458daf53c2e143c4cd5316483e2

    • SHA512

      b877aae032265b4fc270185e4b473210bc908bf34d6b2289e3e2258e364d884caa5008909a4f9401f8fa1e23cc6c3472dc42e67b876f352c787bb3a281e3a9d5

    • SSDEEP

      12288:quWKt/rFfaztYIHnZE17gG2XRTmzCZL1VKNqpfup3iigQG0Ht9o9i3hz1ya6kR:FWKN5i5HZIgfaCL1VBpfuzLHt9oI3hgs

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks