General

  • Target

    a53e67f5e39583be30acd7b97c5085aa76b45610fcb033285fd443e9fe828bda

  • Size

    760KB

  • Sample

    240612-b672vsyarg

  • MD5

    b57c934f9dd2298807c1adb1adf9c509

  • SHA1

    4c0045e513dc6a81920b811fd127e5e80b40a43e

  • SHA256

    a53e67f5e39583be30acd7b97c5085aa76b45610fcb033285fd443e9fe828bda

  • SHA512

    a7f372ef84aefe98dedfe72a1da4ac261e0459a972ef3d6c8066ec364b8e43d90a17fab368997761222809b4cc835a3ebfbe688d72c3ee7e3932fc05a696c941

  • SSDEEP

    12288:POfrI6dBnF5Hl9Gw0l+tYjfnf2KGknEH2nZF/SSE9baXje8tEX8JLd5XvHRM22d:mrIWBn3Gw0otyfXGknYESSE9baXjeRcY

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      SOF-41593-21052024112851.exe

    • Size

      783KB

    • MD5

      6662c13587dc2c81d93e5c2d53683050

    • SHA1

      d1dbb9cd770cbf02de049c2820debd6a9d9fa48f

    • SHA256

      280b463ac5311b367f5b3678a0305bcfcb7ff877814b0bbabb9839327b578c1f

    • SHA512

      afcdbb8ce3ec4fd9a72d5a29875eca0fac577395349157ce277738a68fc3b4aefa71d5286d97a7522ac5afe2341a61d1272f5dafc4665ddb718dc398d8a7267b

    • SSDEEP

      24576:Ae0jH3DI5Gw0c36v+i0O+KHqWeDc5XyCBs2A2:cPgGcf9XK5vXh02

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks