General

  • Target

    53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d

  • Size

    166KB

  • Sample

    240612-b2jhpsxhnm

  • MD5

    ed1f4802fc687f24827dc818def3862c

  • SHA1

    e4a066d81dd582f7dee2d523feac1612f1809649

  • SHA256

    53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d

  • SHA512

    4720a25d5bb6de9b8cc8cf2ef2b11fb52e3ad9fabd25ebcec92ce055671dcbb0dd2882c95580449e6c4374a3d927a1d7c949d75db76772d02ce5465aad97a40d

  • SSDEEP

    768:bQ0KFwpdwTXm/Rer+pg4pXDOTixnaLB0Kt4r:bQBGwTXmMrIDpXDO0nO0Kt4r

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d

    • Size

      166KB

    • MD5

      ed1f4802fc687f24827dc818def3862c

    • SHA1

      e4a066d81dd582f7dee2d523feac1612f1809649

    • SHA256

      53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d

    • SHA512

      4720a25d5bb6de9b8cc8cf2ef2b11fb52e3ad9fabd25ebcec92ce055671dcbb0dd2882c95580449e6c4374a3d927a1d7c949d75db76772d02ce5465aad97a40d

    • SSDEEP

      768:bQ0KFwpdwTXm/Rer+pg4pXDOTixnaLB0Kt4r:bQBGwTXmMrIDpXDO0nO0Kt4r

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks