General

  • Target

    1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe

  • Size

    661KB

  • Sample

    240619-bhpwdavfkn

  • MD5

    c90b8187b8db56562cb03af9d67e61d5

  • SHA1

    0f688b5d1f4d7b024ca0d9a306ffcb273b2fe1df

  • SHA256

    1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1

  • SHA512

    ca943e78deead0c9a954a6eb20ded223e9408b3a457957e56b73c4432aaf06b072a269c8c1bc00d43a4aabe1578f0b18147f074f719239447313ca7db4b05bd1

  • SSDEEP

    12288:0FIsPADvFgvHqtIjdX6UsXvXkkywZCujmt28pip7txWjekR:WIKA2vHcIJFsXvXkkxZCIk286tG

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.naubahar.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Hum$885+Nn

Targets

    • Target

      1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1.exe

    • Size

      661KB

    • MD5

      c90b8187b8db56562cb03af9d67e61d5

    • SHA1

      0f688b5d1f4d7b024ca0d9a306ffcb273b2fe1df

    • SHA256

      1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1

    • SHA512

      ca943e78deead0c9a954a6eb20ded223e9408b3a457957e56b73c4432aaf06b072a269c8c1bc00d43a4aabe1578f0b18147f074f719239447313ca7db4b05bd1

    • SSDEEP

      12288:0FIsPADvFgvHqtIjdX6UsXvXkkywZCujmt28pip7txWjekR:WIKA2vHcIJFsXvXkkxZCIk286tG

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables packed with SmartAssembly

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks