General

  • Target

    9235b8892e965dc5554dcd81f0587fd0N

  • Size

    720KB

  • Sample

    240913-cbrl3axgnl

  • MD5

    9235b8892e965dc5554dcd81f0587fd0

  • SHA1

    ebb5ad393207f07b11c6efd5c387c596d6289920

  • SHA256

    9a6f5e16552d185a6bf7d82cafe02a49a982066ab8035c175bcbd7d0ae0c550f

  • SHA512

    8f1f1ae09e847ac261016fecdcb57fae0775327cb8ede35ef4232857d16bef8c80a080d4c003f694a6b95f4addf62db043e4a7b491c2a9c1f6d7ec8c81b83acb

  • SSDEEP

    12288:42iNHWZYd1DJhh2zziQrtkeogNdD2KBhGmwp1KuLUzfWkqR3Oj0vw6OKvIGc2:41BB2zzX920hGdUzBG380bOCx

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      9235b8892e965dc5554dcd81f0587fd0N

    • Size

      720KB

    • MD5

      9235b8892e965dc5554dcd81f0587fd0

    • SHA1

      ebb5ad393207f07b11c6efd5c387c596d6289920

    • SHA256

      9a6f5e16552d185a6bf7d82cafe02a49a982066ab8035c175bcbd7d0ae0c550f

    • SHA512

      8f1f1ae09e847ac261016fecdcb57fae0775327cb8ede35ef4232857d16bef8c80a080d4c003f694a6b95f4addf62db043e4a7b491c2a9c1f6d7ec8c81b83acb

    • SSDEEP

      12288:42iNHWZYd1DJhh2zziQrtkeogNdD2KBhGmwp1KuLUzfWkqR3Oj0vw6OKvIGc2:41BB2zzX920hGdUzBG380bOCx

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks