General

  • Target

    a2683767a15658543e3b57ffe6b741b5230818aafc47d16d38fcf22cdf5297ad.zip

  • Size

    616KB

  • Sample

    240618-wqeqlatdne

  • MD5

    8643be4fe49a74bc2668c1f68e756b14

  • SHA1

    854f30e5623f2918b30258dc5f50d8a9a80ce779

  • SHA256

    a2683767a15658543e3b57ffe6b741b5230818aafc47d16d38fcf22cdf5297ad

  • SHA512

    af4082c93b6a2e48bb52cd021ee217113233602caeaaf416df1ab7c5d1dacd53168e44aa76394fd06ad289cf981f36355033d18040f8dc2e2acd25a8cb81fdde

  • SSDEEP

    12288:ssVQ6XUoB/iIxFuiJd5vAFXqNWaZtjTr7A3To9Vw+3twdf:sqhNiI+iJdupqNdnrgTwtwdf

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.calibervalves.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    f%K=]590_&Es

Targets

    • Target

      SOA MAY.exe

    • Size

      649KB

    • MD5

      0c0a41c08e05cc17ec190a8325122ff1

    • SHA1

      d626dadb8389d7d3a2ef8a4d55ea1e93012344df

    • SHA256

      dc2e8a0f43a7ba9dc6ccf14dfda7e6ddd366d137cf774e221b09165ca6b414a8

    • SHA512

      eedf165ebccb8a4c90664a4eaa8389aa7f67fd03035e3e3592dd8ebbcf0c4f67e2cc398ecf5838469721fffce7b511c74f2973632d065fef825ef15acc0ce5de

    • SSDEEP

      12288:Fjgd/iFIsPAb/z/6U66JBBQILFuCJJ5JAl9qv+6Pt71rjzhO0dto9Vy9j+jtIU0Y:9gdkIKybs6J7QI8CJJgXqvdRrPs0dtDg

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks