General

  • Target

    da9219415bcb66e4048ce23c6f94a3bfc29b0576fd3d30c7b47f6835efcd9ad4.rar

  • Size

    648KB

  • Sample

    240609-me5cfahc7w

  • MD5

    0b0b8f1b9ba09ae894e0a58eed1131b5

  • SHA1

    7f431e504fa52f665596aab273ef26c19d6bac19

  • SHA256

    da9219415bcb66e4048ce23c6f94a3bfc29b0576fd3d30c7b47f6835efcd9ad4

  • SHA512

    063b47ef0ce69ce12e64e0caaf83ce20bda19bfedf47da2c9c2ce052d273a5d0fc593cc695f24e1403a847396e5850465aeda5e5c32a244845711ea1f466235c

  • SSDEEP

    12288:Pkc6ZszTSEyNvHQc7YE494fkJl94Da2kLxuw53smXHPklYLCRqywxiUDhnscW4:r6Z6SxPQkW4MJl94lkdJpPkl4C7wnhJn

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.psgrasa.ir
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    mahsa730101

Targets

    • Target

      RFQ-2402-3572.exe

    • Size

      706KB

    • MD5

      2e11cbc359b45e25b7f5f3b6008f3adc

    • SHA1

      e640cc86dfed0419775c394ed050674667ed8b2e

    • SHA256

      48c7311341af01dfa4d01d6000fb17d6956d6607f2714bb88bba2f8ca0a93fbc

    • SHA512

      4a4c3b8d84f8a7a7b09bd584b17f07fe929abd938b64cef95e2890512d988eff116ce726694d53e5d78e3063ed71b0ac3d33ebfa8db6dc3ec8b2469578c5c8ba

    • SSDEEP

      12288:r3qyJMIC222lCz/mh/otW1AmPCLHmR895zB8DSSAwlDJyhy3KJx:r6Oo222Y7mh/BKm6vDF8+S/GhgKL

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks