General

  • Target

    a4bb6414cb7d0a37ed6b06994e516b00793e32eaceba2af7a3e638a4832cc07b.exe

  • Size

    872KB

  • Sample

    240618-wryvvstdqd

  • MD5

    0534a79a51432d3678e88ea60e41e49b

  • SHA1

    c97a8d7efb5f990d1b4305d9c2055bdd8c9971a2

  • SHA256

    a4bb6414cb7d0a37ed6b06994e516b00793e32eaceba2af7a3e638a4832cc07b

  • SHA512

    639149a000727a7c08b40a85bd2424555a1244e6ff7a73a920c6efc4030ecdd1fb91540b0068eded567bef4483f6c49ce6b84d0359cc27ab572832f830906742

  • SSDEEP

    24576:zBAyC5l2GSbFaL6NLpZ51lZzLsb7rcO8kN:K3j2nFaLsT51jMbH7N

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.inducolma.com.co
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    inducolma57

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      a4bb6414cb7d0a37ed6b06994e516b00793e32eaceba2af7a3e638a4832cc07b.exe

    • Size

      872KB

    • MD5

      0534a79a51432d3678e88ea60e41e49b

    • SHA1

      c97a8d7efb5f990d1b4305d9c2055bdd8c9971a2

    • SHA256

      a4bb6414cb7d0a37ed6b06994e516b00793e32eaceba2af7a3e638a4832cc07b

    • SHA512

      639149a000727a7c08b40a85bd2424555a1244e6ff7a73a920c6efc4030ecdd1fb91540b0068eded567bef4483f6c49ce6b84d0359cc27ab572832f830906742

    • SSDEEP

      24576:zBAyC5l2GSbFaL6NLpZ51lZzLsb7rcO8kN:K3j2nFaLsT51jMbH7N

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks