General

  • Target

    125138529f0b99612ea633104c80f895b523a6d95f70da58e30edb94e9e258fe

  • Size

    856KB

  • Sample

    240612-b245eaxhqm

  • MD5

    02c38b2407830ee92fb9973c53746a5e

  • SHA1

    a6945865d73be1a0ce2c5b51e91d6351b0c5a3ff

  • SHA256

    125138529f0b99612ea633104c80f895b523a6d95f70da58e30edb94e9e258fe

  • SHA512

    3e040a31b612647383b5bc3475421236129c41182f5334505e89fd4dd26cea4a34628309e5e9c0b3d1dbfd8259a8054f44961da5c1f7bdb216aa03c373633ade

  • SSDEEP

    24576:3g61jjk0LAta9APUDIIRVfEkME+GZ9kDI1Q/uI9H9hNSAP0tdZ:bV3Eh6ExVbNSh

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      125138529f0b99612ea633104c80f895b523a6d95f70da58e30edb94e9e258fe

    • Size

      856KB

    • MD5

      02c38b2407830ee92fb9973c53746a5e

    • SHA1

      a6945865d73be1a0ce2c5b51e91d6351b0c5a3ff

    • SHA256

      125138529f0b99612ea633104c80f895b523a6d95f70da58e30edb94e9e258fe

    • SHA512

      3e040a31b612647383b5bc3475421236129c41182f5334505e89fd4dd26cea4a34628309e5e9c0b3d1dbfd8259a8054f44961da5c1f7bdb216aa03c373633ade

    • SSDEEP

      24576:3g61jjk0LAta9APUDIIRVfEkME+GZ9kDI1Q/uI9H9hNSAP0tdZ:bV3Eh6ExVbNSh

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks