General

  • Target

    280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f

  • Size

    783KB

  • Sample

    240612-b66tssyarf

  • MD5

    6662c13587dc2c81d93e5c2d53683050

  • SHA1

    d1dbb9cd770cbf02de049c2820debd6a9d9fa48f

  • SHA256

    280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f

  • SHA512

    afcdbb8ce3ec4fd9a72d5a29875eca0fac577395349157ce277738a68fc3b4aefa71d5286d97a7522ac5afe2341a61d1272f5dafc4665ddb718dc398d8a7267b

  • SSDEEP

    24576:Ae0jH3DI5Gw0c36v+i0O+KHqWeDc5XyCBs2A2:cPgGcf9XK5vXh02

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f

    • Size

      783KB

    • MD5

      6662c13587dc2c81d93e5c2d53683050

    • SHA1

      d1dbb9cd770cbf02de049c2820debd6a9d9fa48f

    • SHA256

      280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f

    • SHA512

      afcdbb8ce3ec4fd9a72d5a29875eca0fac577395349157ce277738a68fc3b4aefa71d5286d97a7522ac5afe2341a61d1272f5dafc4665ddb718dc398d8a7267b

    • SSDEEP

      24576:Ae0jH3DI5Gw0c36v+i0O+KHqWeDc5XyCBs2A2:cPgGcf9XK5vXh02

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks