General

  • Target

    NEW ORDER-000000WE.rar

  • Size

    616KB

  • Sample

    240617-jqx6qa1dmd

  • MD5

    a9b4302e9e32f081a78b53e504408910

  • SHA1

    74eeeea1f329e8f3512ce8e420ca78149cc7e7ec

  • SHA256

    518dd4a7bd96090b6c2ed9e7a672fdc46d047e2c439040b4e6ad9a4e68fd5d47

  • SHA512

    86aaccae656d754d58f9865a5d0cb869050f3d38a090b67f63256a96559a00ca7232cdb80181684a2a3f84037bf7ca8376acae8dbf37f75ce122c33754842b91

  • SSDEEP

    12288:fYYMNm7NupRn36ztlh5ZCKCPEV3BsAg+jWKE/1ZtZkjQw6d:PV7QpRq5tJCsW3/1ZtZzw6d

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.thelamalab.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Thel@malab@20!9

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      NEW ORDER-000000WE.exe

    • Size

      628KB

    • MD5

      0abb067fc4dcb97e63360595c2216674

    • SHA1

      534c97142b40a4cfeac1e2508b11c4fd7d2be6fa

    • SHA256

      7fc25fe68de56c5d7d59cc518b9d37985faaa4245e981a30369982c8c7c7240d

    • SHA512

      0bddd57de4d9d0729a06cbcb3448accc2f5e3333b25d6399c929ac6db5c3b907fe06c6cc2732abcfd4247cb51e7524dc718fe96599897d3de46098c0cececa63

    • SSDEEP

      12288:9NKvQdA0HK9i529EDROD9H9FWEbeZDY6y1hIAcnohEB9k7hT4nf:+GwDBHOEbeZcJ1cnoAK7Snf

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks