General

  • Target

    0d63eafe7f4eebd3b782dd262da6fa3e562c420e0ecfff540ee1a9c5a76b0f99.exe

  • Size

    824KB

  • Sample

    240609-l245hshg83

  • MD5

    557d44cc5e33ac15ef0b659e5e58433d

  • SHA1

    389c0e121ee86c95c31915b54489e278a800b76d

  • SHA256

    0d63eafe7f4eebd3b782dd262da6fa3e562c420e0ecfff540ee1a9c5a76b0f99

  • SHA512

    ed6cfd791b7367f065c4f278d70288961bd01de010648776be6351aec2822b3080b72343cff5a8ab6d73a5131b73a02d03a3274f8b98cdf2433191a50e8596b4

  • SSDEEP

    12288:0Y4eAXsAvV7ihwdVUuRhnMLCke0euDme6ocbosxyc:EeAXsmV7Ywk+n0Cz0sEc0cv

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    backup.smartape.ru
  • Port:
    21
  • Username:
    user894492
  • Password:
    w6NZOdcSkH1a

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://backup.smartape.ru
  • Port:
    21
  • Username:
    user894492
  • Password:
    w6NZOdcSkH1a

Targets

    • Target

      0d63eafe7f4eebd3b782dd262da6fa3e562c420e0ecfff540ee1a9c5a76b0f99.exe

    • Size

      824KB

    • MD5

      557d44cc5e33ac15ef0b659e5e58433d

    • SHA1

      389c0e121ee86c95c31915b54489e278a800b76d

    • SHA256

      0d63eafe7f4eebd3b782dd262da6fa3e562c420e0ecfff540ee1a9c5a76b0f99

    • SHA512

      ed6cfd791b7367f065c4f278d70288961bd01de010648776be6351aec2822b3080b72343cff5a8ab6d73a5131b73a02d03a3274f8b98cdf2433191a50e8596b4

    • SSDEEP

      12288:0Y4eAXsAvV7ihwdVUuRhnMLCke0euDme6ocbosxyc:EeAXsmV7Ywk+n0Cz0sEc0cv

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/BgImage.dll

    • Size

      7KB

    • MD5

      ee255bdf426349e1caa8f1b71de9fd22

    • SHA1

      d589773826620046df1d77dd148f819a88dd35ec

    • SHA256

      a45f294137e2b0f6092eee8fdd2e19334f34ff3640d865a810b70f2104e92c21

    • SHA512

      71eeb41b5816b7d0f9517264aaf026da878561b6a222064c8100e47c383de9ac369800b734468322f3a6fc3eedb1a23d3c5ca6874bd7bf84af08f395248872cc

    • SSDEEP

      96:8ePik1LFJaO1/radJEaYtv1Zs4lkL8y3A2EN8Cmy3uTc4j7J3kWyy/:tPdTJa2roqJyA2EN8diuTJje

    Score
    1/10
    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      dbdbf4017ff91c9de328697b5fd2e10a

    • SHA1

      b597a5e9a8a0b252770933feed51169b5060a09f

    • SHA256

      be60a00f32924ccbe03f9914e33b8e1ad8c8a1ca442263a69896efba74925b36

    • SHA512

      3befc15aab0a5dbe7fde96155b0499d385f2799b1a2d47ce04f37b5804006b1c6c4fff93d3cedb56a2a8172b23752b6f9dc6168cfce3596b91def3247836cf10

    • SSDEEP

      96:33YnIxFkDUGZpKSmktse3GpmD8pevbE9cxSgB5PKtAtYE9v5E9KntrmfVEB3YdkS:33YIvGZDdtP8pevbg0PuAYK56NyoIFI

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks