General

  • Target

    b3b58a7d2eeda1ca29664aa79a79acd2df41e06b503c5af6a91c536e8798bab8

  • Size

    1.3MB

  • Sample

    240619-cxr5qascke

  • MD5

    23b24039cb4a47a03e71a77b2773a583

  • SHA1

    c926e5259abcdd1702171ce7cca153555ac01f89

  • SHA256

    b3b58a7d2eeda1ca29664aa79a79acd2df41e06b503c5af6a91c536e8798bab8

  • SHA512

    9bc9e75fa7b56060dbd17226617274336497b67d3502fa0c33466b0bbb1d74be6ed2b8ef2b41bbd8155961616d9139b3f46fa70174edcb5d02987ca4aaa645f5

  • SSDEEP

    24576:0AHnh+eWsN3skA4RV1Hom2KXMmHaFH4vy5q4rBEO2bhIpuvLfMyc5T/5:Dh+ZkldoPK8YaFHdKv7MycL

Malware Config

Targets

    • Target

      b3b58a7d2eeda1ca29664aa79a79acd2df41e06b503c5af6a91c536e8798bab8

    • Size

      1.3MB

    • MD5

      23b24039cb4a47a03e71a77b2773a583

    • SHA1

      c926e5259abcdd1702171ce7cca153555ac01f89

    • SHA256

      b3b58a7d2eeda1ca29664aa79a79acd2df41e06b503c5af6a91c536e8798bab8

    • SHA512

      9bc9e75fa7b56060dbd17226617274336497b67d3502fa0c33466b0bbb1d74be6ed2b8ef2b41bbd8155961616d9139b3f46fa70174edcb5d02987ca4aaa645f5

    • SSDEEP

      24576:0AHnh+eWsN3skA4RV1Hom2KXMmHaFH4vy5q4rBEO2bhIpuvLfMyc5T/5:Dh+ZkldoPK8YaFHdKv7MycL

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks