General

  • Target

    MT_07562_133420XLS.rar

  • Size

    62KB

  • Sample

    240625-psfbkstalk

  • MD5

    1bae953b9c50304811b07f580adb5e83

  • SHA1

    f33585ef86b13bb67900a98c7ad54ef49b910d7b

  • SHA256

    6368e7f6e1b8e793d7864486e101e6932208c7c17275dd3e73a8dc126019ec37

  • SHA512

    0b067e6a163f4c6d2618e28a8ae9554991b7d3c7f60afa27ff28f376a7e01252570f2a31b4a799643bc203d256ce746d71e240d2e6b0e47586103094b42018b1

  • SSDEEP

    1536:aKmL3l9ivmmHULUQaCtMPGvIDOQ56+uA47Pw7iRjI1XDBDQbUCvxV:xmh4vmMo+CtMOAU+uIWU1XDuYCZV

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    162.254.34.31
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ABwuRZS5Mjh5

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      MT_07562_133420XLS.exe

    • Size

      193KB

    • MD5

      1dece18cd7dbc90b9c7cc14c32323fe2

    • SHA1

      7d7b25abe1a2fccfec391243195183f46fd58075

    • SHA256

      648c0b3c1b0dc2b6999e838be1d518dd85a64068fab427c45c13accb29903bcb

    • SHA512

      e58f328e913117b17f077cf4d86fd4e72861bf24d480812adf5d78a6735cec39dda6c146a5910dc2e1d5333c9acb05330a9cf9655178b21418f74813b43eff02

    • SSDEEP

      3072:LBQysWswtzTMpJJJJJJJJJJJJJJJJJJJ9ICpf4gz2rqpWCCx:LBQ0smQKY4prq4CC

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks