General

  • Target

    payload.exe

  • Size

    4.4MB

  • Sample

    240618-sf2wlayelf

  • MD5

    f91187d775ecc8afabe3f7465adbbd02

  • SHA1

    f4afb037f36c977ea8d267dde3d88720d2c460ed

  • SHA256

    ee7e36e4f460751432305467cb11d85ff90591a59223a5d7da3a33144b02a6c4

  • SHA512

    7ccdccbe4c7cec79a9945ad99f1451a5d3d2e478e1945ffe9e6d25a849b0bc5bd7fff7298f5d7afa12a607385e09369e5dd1ed5f3991e24e57dfb59d211a89d7

  • SSDEEP

    24576:sCCxWH4DJMT9QRjQRRIGWiMPik0zdbDQjdgPGH0v4rkY2YQb+1ihA6vYnzVvmi2Z:

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      payload.exe

    • Size

      4.4MB

    • MD5

      f91187d775ecc8afabe3f7465adbbd02

    • SHA1

      f4afb037f36c977ea8d267dde3d88720d2c460ed

    • SHA256

      ee7e36e4f460751432305467cb11d85ff90591a59223a5d7da3a33144b02a6c4

    • SHA512

      7ccdccbe4c7cec79a9945ad99f1451a5d3d2e478e1945ffe9e6d25a849b0bc5bd7fff7298f5d7afa12a607385e09369e5dd1ed5f3991e24e57dfb59d211a89d7

    • SSDEEP

      24576:sCCxWH4DJMT9QRjQRRIGWiMPik0zdbDQjdgPGH0v4rkY2YQb+1ihA6vYnzVvmi2Z:

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks