General

  • Target

    b719c3d29b56e4c8bd56630d412a7836dbf7dbfc836d8d117133c0a6a7386448

  • Size

    612KB

  • Sample

    240619-bdvk3avekl

  • MD5

    c13361acb02f643eed386b5babe83fee

  • SHA1

    1e6a35f6ec1f4d89b7e5747d398ffb362c7adf7f

  • SHA256

    b719c3d29b56e4c8bd56630d412a7836dbf7dbfc836d8d117133c0a6a7386448

  • SHA512

    d53d76581e06d244e119310888141d62434c430c741aaec2aea476a36b6dd4d3668ddcf2c9d9ab236484cfb45fd1eefb9abcade757a7e51141b25571e960e55f

  • SSDEEP

    12288:hhb8vz/s7AHVFVRJES8sGyQa+HheTds/Ve2SnSvnNKsoGd:b8v7s8FHEvyQaKepu+nYNKM

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.pishgamsanaat.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Pishgam123456

Targets

    • Target

      order .exe

    • Size

      3.0MB

    • MD5

      cf915d0133f110684b2bed7be93200da

    • SHA1

      106c7d2ed3bffb26fc614664d4fa6f41ea761a1b

    • SHA256

      f2199b5af4d4dba3bec535acbb4fadde6145ddc841dc13ee4a9aad7d3db63ff1

    • SHA512

      d0b0b866c8429cd87960da8eae1eaee69842bed7911e7ccc65ebc26b9879a794ac2306e950477cb17df5b4e6491c3a111c5e59fd06d00d44dd3684a4cf9aca21

    • SSDEEP

      12288:GUIAvR1A7yLrFfxNES8sGaQK+bd8bdsZfe241QvNBKgKcC:hIAvHA2lvERaQKa8xws1aHKL

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • UAC bypass

    • Windows security bypass

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks