General

  • Target

    76fb2ead4693296ca4bd449b262cc0ccc6527180d71da0a9dcfcdd8518df9651.exe

  • Size

    1.3MB

  • Sample

    240609-lwrbgahg25

  • MD5

    73dfd9de87af64f52cdf1aea89ff7802

  • SHA1

    dec3e5c60f84ce967a20f08210d8112b37e51ec6

  • SHA256

    76fb2ead4693296ca4bd449b262cc0ccc6527180d71da0a9dcfcdd8518df9651

  • SHA512

    0982185fcc3d08d5993de5f93b8ee9016d8f9dc7a5915daac2b6db8d92d1f90ba19f83e2ffc094fd2e51ed6316ce98055767682fcc6061470babb937899a6300

  • SSDEEP

    24576:BAHnh+eWsN3skA4RV1Hom2KXMmHa6GQqzL3EgZSBYr+ZZRjK5:Yh+ZkldoPK8YaiqzrwE

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.ppg-pa.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    DKKfy2001$

Targets

    • Target

      76fb2ead4693296ca4bd449b262cc0ccc6527180d71da0a9dcfcdd8518df9651.exe

    • Size

      1.3MB

    • MD5

      73dfd9de87af64f52cdf1aea89ff7802

    • SHA1

      dec3e5c60f84ce967a20f08210d8112b37e51ec6

    • SHA256

      76fb2ead4693296ca4bd449b262cc0ccc6527180d71da0a9dcfcdd8518df9651

    • SHA512

      0982185fcc3d08d5993de5f93b8ee9016d8f9dc7a5915daac2b6db8d92d1f90ba19f83e2ffc094fd2e51ed6316ce98055767682fcc6061470babb937899a6300

    • SSDEEP

      24576:BAHnh+eWsN3skA4RV1Hom2KXMmHa6GQqzL3EgZSBYr+ZZRjK5:Yh+ZkldoPK8YaiqzrwE

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks