General

  • Target

    3e21e139da2602921d760b944c7d568f6d66cf7b5fee21cd506c3a1acc0da729.exe

  • Size

    1.0MB

  • Sample

    240612-bp3e2sxemn

  • MD5

    66ed2f1b8ed4f58e0cba9e3040a4aa7b

  • SHA1

    675db2d60e56f8bff3b1b3ec595b8949615dec03

  • SHA256

    3e21e139da2602921d760b944c7d568f6d66cf7b5fee21cd506c3a1acc0da729

  • SHA512

    849bb30691dd35cb98c96111dcf624c53fb5c91070f9d1b14ff060c7150824304a8768571b735809c91b0ce88db995543384ef73dafe3383f996f9b7668adc62

  • SSDEEP

    24576:dMm5SH6MIl3LkGDhsmD/U0FMkJsNYM7QrJtz:dMm5Lnl7kSU2qnQrJl

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.rusticpensiune.ro
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    hr,d@KUwa5llI%*RNL^J]g%8I;!;_Ne#G1h~lE!*86DAAD6#iLm$x)r+e1z$p+_Q,4_(f!};B?vD!IG?NqT[zOHNr6_nww[S]V?MlcYSt_QO

Targets

    • Target

      3e21e139da2602921d760b944c7d568f6d66cf7b5fee21cd506c3a1acc0da729.exe

    • Size

      1.0MB

    • MD5

      66ed2f1b8ed4f58e0cba9e3040a4aa7b

    • SHA1

      675db2d60e56f8bff3b1b3ec595b8949615dec03

    • SHA256

      3e21e139da2602921d760b944c7d568f6d66cf7b5fee21cd506c3a1acc0da729

    • SHA512

      849bb30691dd35cb98c96111dcf624c53fb5c91070f9d1b14ff060c7150824304a8768571b735809c91b0ce88db995543384ef73dafe3383f996f9b7668adc62

    • SSDEEP

      24576:dMm5SH6MIl3LkGDhsmD/U0FMkJsNYM7QrJtz:dMm5Lnl7kSU2qnQrJl

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks