General

  • Target

    b3951089bb37cbdc49522fb1362c89c30692a0979d9931ed76b25f78963769c9

  • Size

    826KB

  • Sample

    240612-cj5hwsydme

  • MD5

    8b76fd5563f1dfd758ac32238af1770d

  • SHA1

    7aca5695a6ee35183993ac1f586865e62626653d

  • SHA256

    b3951089bb37cbdc49522fb1362c89c30692a0979d9931ed76b25f78963769c9

  • SHA512

    0ec595bae99b3a9647892f1c63b722f79b7c3e65dbb3b2cba61d5aa8d535ca14e7df444af1fc351e89e00df0278c9acc8163de96f33b129175015906cf788534

  • SSDEEP

    12288:ulOKjCJAQC/4fBtLDvM7BlH7m/LXPYJk4gRJ5llIhmdiqACR5leZlNo:64AD4fPw7BgLPYJkr/d3A+er

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      SKMBT ref 11062024.scr

    • Size

      764KB

    • MD5

      d50275bec33aa7fcbbc5e9e3efb7086f

    • SHA1

      6fc77e994f56af643ec5c429c2da401d1fcffda4

    • SHA256

      753cdbf4b5b1e61e9d56b9c40a157903a3a346595160c5d2e1c766ffde730323

    • SHA512

      5b5b5ecee7ae9b6cc0c8dca3f49fe14b123dc5303b954c7008a84b2b2f1972c0b8b515a1afa6fccf9225a90c02b50efa67123b8a9f83dd021ba7ce459ad7bf4a

    • SSDEEP

      12288:8lOKjCJAQC/4fBtLDvM7BlH7m/LXPYJk4gRJ5llIhmdiqACR5leZlNo:k4AD4fPw7BgLPYJkr/d3A+er

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks