General

  • Target

    8ea20141506c36d1d8f5aec2f826d82b486b4be876cd10e12cdca552fbf12cfb

  • Size

    851KB

  • Sample

    240619-cvgk7ssbra

  • MD5

    763d39aad3e9baca6aa4c21e243d4b9f

  • SHA1

    1b649eb42acd2d32337efd48649b17e235841221

  • SHA256

    8ea20141506c36d1d8f5aec2f826d82b486b4be876cd10e12cdca552fbf12cfb

  • SHA512

    c82b6fd17d5efcbda1b1ce70910d697f01edb811297ad06f2f661f5f4fbe735dc466a0d5ffb3f8c2013a41376272f8aaa2ee45de5c5f0cdc90a38e39484ecb97

  • SSDEEP

    24576:PMYenXN5iI1vJ28mHFQVceE3txhL4XS0G:PMYeXN5i6vATHOVq3txt4XS

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.iclalreklam.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    09042017ela

Targets

    • Target

      8ea20141506c36d1d8f5aec2f826d82b486b4be876cd10e12cdca552fbf12cfb

    • Size

      851KB

    • MD5

      763d39aad3e9baca6aa4c21e243d4b9f

    • SHA1

      1b649eb42acd2d32337efd48649b17e235841221

    • SHA256

      8ea20141506c36d1d8f5aec2f826d82b486b4be876cd10e12cdca552fbf12cfb

    • SHA512

      c82b6fd17d5efcbda1b1ce70910d697f01edb811297ad06f2f661f5f4fbe735dc466a0d5ffb3f8c2013a41376272f8aaa2ee45de5c5f0cdc90a38e39484ecb97

    • SSDEEP

      24576:PMYenXN5iI1vJ28mHFQVceE3txhL4XS0G:PMYeXN5i6vATHOVq3txt4XS

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks