General

  • Target

    21957b0c6acf67944e86ee090df195d1a1cc27753946a6d15cdcde201573b63e

  • Size

    643KB

  • Sample

    240615-b16a3svbmf

  • MD5

    16b7a722f572f38f6793932417de40d3

  • SHA1

    74584115d3514172a14005901b4dbe7efaebad90

  • SHA256

    21957b0c6acf67944e86ee090df195d1a1cc27753946a6d15cdcde201573b63e

  • SHA512

    d76ba1fe88450289fb9d8e0cefc8fc38344a9202c9f340e465d28644a51628b289ed4172ca43084b97e0de7b867638ef3f815ce281fdc3321ca3ebde6a20215a

  • SSDEEP

    12288:uxs2iNPyCK2xrOoIyQ/WxU0LsShN+9/vetfjO0oDzEbN031OeN/+9EjnatCUHthY:/15yC5Ideu0Lm1WRa0oDIc1Oa++jatBQ

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      21957b0c6acf67944e86ee090df195d1a1cc27753946a6d15cdcde201573b63e

    • Size

      643KB

    • MD5

      16b7a722f572f38f6793932417de40d3

    • SHA1

      74584115d3514172a14005901b4dbe7efaebad90

    • SHA256

      21957b0c6acf67944e86ee090df195d1a1cc27753946a6d15cdcde201573b63e

    • SHA512

      d76ba1fe88450289fb9d8e0cefc8fc38344a9202c9f340e465d28644a51628b289ed4172ca43084b97e0de7b867638ef3f815ce281fdc3321ca3ebde6a20215a

    • SSDEEP

      12288:uxs2iNPyCK2xrOoIyQ/WxU0LsShN+9/vetfjO0oDzEbN031OeN/+9EjnatCUHthY:/15yC5Ideu0Lm1WRa0oDIc1Oa++jatBQ

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks