General

  • Target

    FedEx_776288738390.exe

  • Size

    735KB

  • Sample

    240612-hemp6sshrh

  • MD5

    ff96f15d151b6c271cb4284243c68cdf

  • SHA1

    64213856b1b9e58dbfde55c57c592f6c97dfd13d

  • SHA256

    2de30a474f781d95cc74aad7ef55e65ad03f5a3ea89e60733e710167d46bc2be

  • SHA512

    686a6bfba4d4de4ddd347cd7c7ba6eed60aa350645ddb69f3af225263e73f6db17697f67ddfb9dd62ef32e29c36b252735ec4d0905827dd0476330a8bd8bbcf6

  • SSDEEP

    12288:edXtfETpPO5JmjISb+OEp/ngBmWJdUXouQKTS5BGO0jxF3qX5gba3jK:ed92pSaLwngBmlXouQkO0jr36qa3jK

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      FedEx_776288738390.exe

    • Size

      735KB

    • MD5

      ff96f15d151b6c271cb4284243c68cdf

    • SHA1

      64213856b1b9e58dbfde55c57c592f6c97dfd13d

    • SHA256

      2de30a474f781d95cc74aad7ef55e65ad03f5a3ea89e60733e710167d46bc2be

    • SHA512

      686a6bfba4d4de4ddd347cd7c7ba6eed60aa350645ddb69f3af225263e73f6db17697f67ddfb9dd62ef32e29c36b252735ec4d0905827dd0476330a8bd8bbcf6

    • SSDEEP

      12288:edXtfETpPO5JmjISb+OEp/ngBmWJdUXouQKTS5BGO0jxF3qX5gba3jK:ed92pSaLwngBmlXouQkO0jr36qa3jK

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks