General

  • Target

    8d5aa43f1f70de76df33254634d589fe8db9daf289f2995b0d6d165b8dea4f71

  • Size

    855KB

  • Sample

    240612-bqy41sxemc

  • MD5

    fd327a956b127f9dfca93055ee45cc39

  • SHA1

    4871ecf3eb5ef327b0020556b3ffbc377fb8f817

  • SHA256

    8d5aa43f1f70de76df33254634d589fe8db9daf289f2995b0d6d165b8dea4f71

  • SHA512

    599f55d8a5b63ad8d891a933d89cd7dc53d07e637fade54c3028d78a5f00ef1fe64aa3fabfc8987daafdc6a1c81118afff4b146c8d56308ef26194784c49b7f4

  • SSDEEP

    24576:pg61jjk0LAta9AslDIk4DDstTtl4ZOdW5+2fwZn5:B5wstZ2cdW5LfwZ

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      8d5aa43f1f70de76df33254634d589fe8db9daf289f2995b0d6d165b8dea4f71

    • Size

      855KB

    • MD5

      fd327a956b127f9dfca93055ee45cc39

    • SHA1

      4871ecf3eb5ef327b0020556b3ffbc377fb8f817

    • SHA256

      8d5aa43f1f70de76df33254634d589fe8db9daf289f2995b0d6d165b8dea4f71

    • SHA512

      599f55d8a5b63ad8d891a933d89cd7dc53d07e637fade54c3028d78a5f00ef1fe64aa3fabfc8987daafdc6a1c81118afff4b146c8d56308ef26194784c49b7f4

    • SSDEEP

      24576:pg61jjk0LAta9AslDIk4DDstTtl4ZOdW5+2fwZn5:B5wstZ2cdW5LfwZ

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks