General

  • Target

    staff recordpdf2024.exe

  • Size

    1.1MB

  • Sample

    240913-lrl6yswgkj

  • MD5

    0ec5e7c925699592bb6d5601cc7c30fd

  • SHA1

    70f3707bb78d9fdd8e63c9a4ca69b3569c1311d0

  • SHA256

    a0a9417b529beeb5889f15445f335e71b54815d8333048da716299fffac32d9f

  • SHA512

    6f2568d66fd0f88a2ef3dbca9e49e0ccf0c22d01b81c6a0f25a8ff58f9d712e3932d5db51d4feba25e382f503f583a79d664d2f013aac7590d8b06526b6b5fc8

  • SSDEEP

    24576:yCdxte/80jYLT3U1jfsWapOEmkOKkmg956Q:jw80cTsjkWapqFmg9j

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.myhydropowered.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    nW5AoStmqtxtXpA

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      staff recordpdf2024.exe

    • Size

      1.1MB

    • MD5

      0ec5e7c925699592bb6d5601cc7c30fd

    • SHA1

      70f3707bb78d9fdd8e63c9a4ca69b3569c1311d0

    • SHA256

      a0a9417b529beeb5889f15445f335e71b54815d8333048da716299fffac32d9f

    • SHA512

      6f2568d66fd0f88a2ef3dbca9e49e0ccf0c22d01b81c6a0f25a8ff58f9d712e3932d5db51d4feba25e382f503f583a79d664d2f013aac7590d8b06526b6b5fc8

    • SSDEEP

      24576:yCdxte/80jYLT3U1jfsWapOEmkOKkmg956Q:jw80cTsjkWapqFmg9j

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks