General

  • Target

    HSBC Payment Advice_pdf.exe

  • Size

    667KB

  • Sample

    240625-krksfsshjr

  • MD5

    4a54a1cfb9a323654e9382645dd55f03

  • SHA1

    2a569a45460a3a7251fe74fc0ce082dbe05de9d4

  • SHA256

    88ee50dbfee90121de2f56cbb6fb8e23384f2423a0598a45147fe08f6503cb3b

  • SHA512

    6830e11f411b50da12361bbd8749dc80386b49895823986609d990871c8a9c01884c38e9dc8698f913b00f1f273809e225430b22c2f0d9241735892b96d5cab5

  • SSDEEP

    12288:wo5wtN2gPFocYNclSS51hq2t7ud/I59A/IFlDBUun3BYMn/:7LESc5F5F8dQ40lDeGr/

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      HSBC Payment Advice_pdf.exe

    • Size

      667KB

    • MD5

      4a54a1cfb9a323654e9382645dd55f03

    • SHA1

      2a569a45460a3a7251fe74fc0ce082dbe05de9d4

    • SHA256

      88ee50dbfee90121de2f56cbb6fb8e23384f2423a0598a45147fe08f6503cb3b

    • SHA512

      6830e11f411b50da12361bbd8749dc80386b49895823986609d990871c8a9c01884c38e9dc8698f913b00f1f273809e225430b22c2f0d9241735892b96d5cab5

    • SSDEEP

      12288:wo5wtN2gPFocYNclSS51hq2t7ud/I59A/IFlDBUun3BYMn/:7LESc5F5F8dQ40lDeGr/

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks