General

  • Target

    17062024_1644_17062024_RFQ PO87363839.pdf.tar

  • Size

    601KB

  • Sample

    240617-t8y6vawclf

  • MD5

    9bc0e53867657dfb2b3eb6a7e85ae866

  • SHA1

    df69f2ee2952fbeaaa841e20186f569ab8d71eae

  • SHA256

    8c8c93a70dc50d109b63cac33e5d9311413f5266e567aab6d8b60c5eb184df95

  • SHA512

    5dc438c1af6527736c3ca24b43e83b95a3043cd5faf9482599b1b18f47ab24f27e0fd2defa337a988eab0cf93a45cedcd44e06df007d4885bc703394d1aaa106

  • SSDEEP

    12288:/Cjnx1cBtVLoUwEJLhmJtwfG3ApSudG9Bsm3jWgGW7X1ueE2/TH7:G7cPVLbJatwDd4Bs+W3UjH7

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.annapurnabhaskari.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    krishna@123

Targets

    • Target

      RFQ PO87363839.exe

    • Size

      636KB

    • MD5

      c65224275a8be8b8da70214438fa5b32

    • SHA1

      a09d680e0911635ddb9372cf785141a567089855

    • SHA256

      aca5900b486ee6d687609c026cff2d3c405992566f9a9f9bd355ca1c81ee7b65

    • SHA512

      b54517c1d8daaa4715cf93274ae9d473df1024767737b005c14503b1a31c5569787a7cc178558e8549baabfb2e762a9495ae1fb71bd4351732277ac80db9d0ed

    • SSDEEP

      12288:Is/iFIsPAb/z/OHXK0eNUQyEszajH7LrCEp3AaKy0OCnzOSRfJD5dXsAM3hDT/:lkIKybm3KbNb7LrCEp3AadCnzOAD5xsZ

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks