General

  • Target

    b645571a85583af707b1d6137bb64a5666d80508f77f755e8f41f6de79719659

  • Size

    850KB

  • Sample

    240604-camxgshc9t

  • MD5

    ff5f157e3964dad4aea78fcc4803fd80

  • SHA1

    c4ab113248649fedb2d5ace38317985cea40701a

  • SHA256

    b645571a85583af707b1d6137bb64a5666d80508f77f755e8f41f6de79719659

  • SHA512

    f5c55caef090bccb2e91c2808fe11fb3926eab4f37a31dc71133499ed72631558e07e0c2c46d6acc969c4572a664518f2af90c5988a49e7bbfc07297418e3709

  • SSDEEP

    24576:LMYe6rN5i8nx0aOeSSN5dUPDhPrr5uKI:LMYeCN5i8nvOq+PrtrI

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.vidaflag.si
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Vidaflag15

Targets

    • Target

      b645571a85583af707b1d6137bb64a5666d80508f77f755e8f41f6de79719659

    • Size

      850KB

    • MD5

      ff5f157e3964dad4aea78fcc4803fd80

    • SHA1

      c4ab113248649fedb2d5ace38317985cea40701a

    • SHA256

      b645571a85583af707b1d6137bb64a5666d80508f77f755e8f41f6de79719659

    • SHA512

      f5c55caef090bccb2e91c2808fe11fb3926eab4f37a31dc71133499ed72631558e07e0c2c46d6acc969c4572a664518f2af90c5988a49e7bbfc07297418e3709

    • SSDEEP

      24576:LMYe6rN5i8nx0aOeSSN5dUPDhPrr5uKI:LMYeCN5i8nvOq+PrtrI

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks