General

  • Target

    19062024_1619_19062024_Package status.zip

  • Size

    575KB

  • Sample

    240619-tsxcbatbnf

  • MD5

    35f321a6d92cfe2b48c968810016d252

  • SHA1

    81fc2a72d67af49a212561e91daa1d07cd2a3e09

  • SHA256

    7972ebd87bcda12969db2307835bcddbbd53ca5a287331906000d6f5bb7beebd

  • SHA512

    728ccf3ec09f0a739f60c0b81eccad89728bf93cca4fda1905ae39ac490148e41141bfd830f98184dacaac8b52acd7092cc373c516c3cafc489e13023a6d8e88

  • SSDEEP

    12288:+6g0eth6/ig3fwGaWCOs7BKvLc2Leko5m3nnplhbOQ2X4br5lDf8IGvyT:+6Ith6/ig3VaWpvLxOm3nnplvqmD1Gvm

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    vjru ncjq zilj zxwk

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Package status.exe

    • Size

      810KB

    • MD5

      f7f038db9cf8b30eedadbd0e1bd06475

    • SHA1

      183a7e4912252c912340580478a756449d420c18

    • SHA256

      1c4bde8818c2caac1ea5d08697561d52e4f977a31f648ef55fe54f13efe572e1

    • SHA512

      43ce6cce5d06b7317b524689610b9154ffb2d7b16a55328321b19eb4baba9fb793f46e6d4e2ca582cfa5c5b7d7627e59cbd1860169efa31f4eadae3155322d1e

    • SSDEEP

      12288:NX8AAopS5s7Prs1K9qjmF7UC5xkd56/iS3xwWaoSOs9BOvLcajeUoZe3xn7dhLO3:18N56/iS3Dao55LTue3xn7d3sCDPa7l

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks