General

  • Target

    3b76f3aaf3d8f2f296cc272bbd031df5ea7126de65f2a40e8773aa155ca43601.exe

  • Size

    640KB

  • Sample

    240618-t2rs7a1fka

  • MD5

    82d1a111a163bd463d09f76865182045

  • SHA1

    442da7141a7fbebfb1c5e92c584f9aaf703ca9c9

  • SHA256

    3b76f3aaf3d8f2f296cc272bbd031df5ea7126de65f2a40e8773aa155ca43601

  • SHA512

    00a40d456b2507885d68d13ad3d9eb67c53f8262f732c654f37e98a33d77f62f3e7feb8cf9d4f75603333d6ac979a428967155f2fe688ae112a9f811036f9ada

  • SSDEEP

    12288:+mT/iFIsPAb/z/sPKLIRMprVf/lqC+JBeGUwLzaw3mKkQI7n+v1Fekem+ztyvrOf:rTkIKybU8mMprVHlqCjGUwLzl2mI7qds

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      3b76f3aaf3d8f2f296cc272bbd031df5ea7126de65f2a40e8773aa155ca43601.exe

    • Size

      640KB

    • MD5

      82d1a111a163bd463d09f76865182045

    • SHA1

      442da7141a7fbebfb1c5e92c584f9aaf703ca9c9

    • SHA256

      3b76f3aaf3d8f2f296cc272bbd031df5ea7126de65f2a40e8773aa155ca43601

    • SHA512

      00a40d456b2507885d68d13ad3d9eb67c53f8262f732c654f37e98a33d77f62f3e7feb8cf9d4f75603333d6ac979a428967155f2fe688ae112a9f811036f9ada

    • SSDEEP

      12288:+mT/iFIsPAb/z/sPKLIRMprVf/lqC+JBeGUwLzaw3mKkQI7n+v1Fekem+ztyvrOf:rTkIKybU8mMprVHlqCjGUwLzl2mI7qds

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks