General

  • Target

    62b1b2593f5ca1067a604faca79bdd13b04a6221dbe380605970c135d92139a3

  • Size

    3.2MB

  • Sample

    240612-cec8vaycmh

  • MD5

    a04e1369b8a2ff92e6fa97e3d00c9566

  • SHA1

    ec280c9d80b6f47e9eb1095c9663ea9488a7c0d0

  • SHA256

    62b1b2593f5ca1067a604faca79bdd13b04a6221dbe380605970c135d92139a3

  • SHA512

    e37f2fdd59633cf6dac703b2fa644adfcdd713e9e23f0afe0049525084b35e3ccb1db678cb2ee6c5856c8c7a6eb024606ad7248fb946f7cf221ddd3cd019264e

  • SSDEEP

    49152:l8yJAk206NICMq5pzKRgqVzKDMgFMkLQmP87Nn9:qBslg8Bn9

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7199704710:AAFo3G2WRLLSd0jDgjwpe01oeP1lxDAYb8A/

Targets

    • Target

      62b1b2593f5ca1067a604faca79bdd13b04a6221dbe380605970c135d92139a3

    • Size

      3.2MB

    • MD5

      a04e1369b8a2ff92e6fa97e3d00c9566

    • SHA1

      ec280c9d80b6f47e9eb1095c9663ea9488a7c0d0

    • SHA256

      62b1b2593f5ca1067a604faca79bdd13b04a6221dbe380605970c135d92139a3

    • SHA512

      e37f2fdd59633cf6dac703b2fa644adfcdd713e9e23f0afe0049525084b35e3ccb1db678cb2ee6c5856c8c7a6eb024606ad7248fb946f7cf221ddd3cd019264e

    • SSDEEP

      49152:l8yJAk206NICMq5pzKRgqVzKDMgFMkLQmP87Nn9:qBslg8Bn9

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks