General

  • Target

    e84fcf08ded1588ad1b236274c7afe5f.bin

  • Size

    631KB

  • Sample

    240609-f838xafa93

  • MD5

    dda674774c93760cfa01d2171860d776

  • SHA1

    b9a4ae2e74317c379127722aba8365e8fca00704

  • SHA256

    47538cb55804a5b078edd9b3376f6d80259f4a5724b9ca4ea014628c84476e87

  • SHA512

    7db8ec3da6cce65233c625cac85ad35202bbb68e5ea108b50d2a1af0c9b52d479f97b0b09248713c65226d2a87908c94a8a7a7b490e36363f3152bee5b92687f

  • SSDEEP

    12288:JSnpkA7M96y9VuWj1sXULgjS/uXNfks+9xWvDakNy7kzV6ISqP/:o+Ai68uWjWkLg0uXKs+mvDdNP56ISqH

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.cervezabaum.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    36781193Baum

Targets

    • Target

      PO 23897 Order Request.exe

    • Size

      679KB

    • MD5

      8cb919da2d28a2e7a35a14a16c2abad3

    • SHA1

      ccb408f332fb889635bc79b67c4dc4c73560fd3c

    • SHA256

      38a05c98b7bd7131bc6d65dc7c5b2a68c63c63119a32012faf1981aa6f40a9c4

    • SHA512

      523d9c571c672cc5f852225bcccfb913a72255719f4c9760cee35d9ced4f907bf3d0842d9c96f732d5c50c1f16d0575f87475b721afdd8c85c655156b7139d5f

    • SSDEEP

      12288:ubBPJwKcI45ssbyJzx17McOjlvS9fIx7LlsyVf48keZL0WLE3q0tpeZsTQi:gBhcvCsY7Mv5K5Ix7gB4/EntAmTQ

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks