General

  • Target

    gdC5AKTv6RiIgyr.exe

  • Size

    627KB

  • Sample

    240625-j3tztsyblb

  • MD5

    76833b147943848963f23afc9e6e1f5d

  • SHA1

    e21b52602530d829e2a20cbe14187e9c07560a08

  • SHA256

    fd05577096a8cf7e8a3955da0412f698199b9d2f53bea732351b7f2eb18819ce

  • SHA512

    82685751264e4a3bdac8bfa1a6d4db0b495909618bdd6612b1aa8456010d4f07aadbdd8063512973d51ac88bf6b5277f0591095a1a1860813c42030f88dff130

  • SSDEEP

    12288:+OuWLJLlqkK6t7pv/HqMmcMglzWkJFRa1J352/jvjb12biSJ6ImMKVVwtN:+2UUpRmHgljJFRuJ352/LjwbiSeMKV

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.chachitos.com.mx
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Miguel#2021@@

Targets

    • Target

      gdC5AKTv6RiIgyr.exe

    • Size

      627KB

    • MD5

      76833b147943848963f23afc9e6e1f5d

    • SHA1

      e21b52602530d829e2a20cbe14187e9c07560a08

    • SHA256

      fd05577096a8cf7e8a3955da0412f698199b9d2f53bea732351b7f2eb18819ce

    • SHA512

      82685751264e4a3bdac8bfa1a6d4db0b495909618bdd6612b1aa8456010d4f07aadbdd8063512973d51ac88bf6b5277f0591095a1a1860813c42030f88dff130

    • SSDEEP

      12288:+OuWLJLlqkK6t7pv/HqMmcMglzWkJFRa1J352/jvjb12biSJ6ImMKVVwtN:+2UUpRmHgljJFRuJ352/LjwbiSeMKV

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks