General

  • Target

    263a3a8f8f369928a6e0c96b7ad4bc589060a417032c1a0dfbf3bd7a5d4c6489.rar

  • Size

    692KB

  • Sample

    240615-bpp5qatfne

  • MD5

    f5dd3f82473536afd0cb1458f928d9cc

  • SHA1

    499fdbf5076c47f073c83ccad2dbc2347ed372bb

  • SHA256

    263a3a8f8f369928a6e0c96b7ad4bc589060a417032c1a0dfbf3bd7a5d4c6489

  • SHA512

    eb16705eedf47266fe336123c4195bc5eebc9536dc9c734595acdeed7d211693debc6e52f6bf9bdcf92c03e0a8452131b88b23a006b200727247899d3cf301e1

  • SSDEEP

    12288:yo9te2KYLUjv8K1gKkNzzc91hBFxb6l/2aQ/Xecdj3sQ/HK2YAsMW:yMPPL/K1gZNzeVih2tXexQiWsv

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      PURCHASE ORDER-6333-2024.exe

    • Size

      798KB

    • MD5

      7b6a358d5eee6bd500984670ac90640b

    • SHA1

      b2863960feb24a1225d7fb9cb149c5d0a112fb21

    • SHA256

      dc87604f1d5dc29d3aab245b6384d1886819e53b48118bbcf8df9fdb1b58dcaa

    • SHA512

      f4b96e96af3922ea45c8b3e611686e3eb5a7cc037e93e390a3bb3774eb77d5f0d79ed5686ab63643d5e4c888660e2af61a57f114413d1b320f3f4ebaeb3644dd

    • SSDEEP

      12288:f4dNXYyCK2xrOoD2H7ySHcjkKoEz5WQLRCGbvNILt8rSBoLoD5S2iqrubK:gHoyC5D2GSODLdL9fvNILoSfS2a2

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks