General

  • Target

    0b8d4b6ed2333b9783b3a340d2fcf73d32a3322922480a20c37bd936a4928742

  • Size

    585KB

  • Sample

    240913-t3mkvsxeqg

  • MD5

    6e134c1a0853ccf0bef03a7253ca3c31

  • SHA1

    ea7b0156042035ca5592771fd36ea173def6efe4

  • SHA256

    0b8d4b6ed2333b9783b3a340d2fcf73d32a3322922480a20c37bd936a4928742

  • SHA512

    8f4b8442bbbf12bdb3bc15f40589b616bee0fcafa26b8222e2639beb95bfa94671424a4653490da88268bb6a830dadd1fc5968aa68d607785d57fa1b1fe164f2

  • SSDEEP

    12288:kTDTSh1rydoz6gS7ccuTi90qhJFCpdwEFborN5KdutXG6:YDWhWo8ssJFCpfBorVtXG6

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5187914704:AAHhM5YfeLYR_Ow0fgwMOZKO7je7btbh5DA/

Targets

    • Target

      Fatura nº 4052804664.scr

    • Size

      693KB

    • MD5

      a0de9f804b692969d93ba2a8011f73a4

    • SHA1

      247b67ca3f7d4f1017a537abb96384136936b78b

    • SHA256

      cc58af4374174d975a7fc1abc5f43a0f537da1482334b95631ea9d5668db7304

    • SHA512

      7dca8968d20f3159c75a5b6effb67456a30309f4652e9b45fa577ef19fe23a6532aa69532f4c28ae819be0da3a455b44971836fce7a041ffd143904c13cbbce9

    • SSDEEP

      12288:nS993Hgi8MefNnUlSAgsWYTfxCIpIj4LcGPhGgXHXelLEAmD:qTmM77lTfxC/GpGgA

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks