General

  • Target

    MoJmC.exe

  • Size

    3.0MB

  • Sample

    240914-d869fsvenl

  • MD5

    1013374ebb99df88b338ff474886c7aa

  • SHA1

    01a6e8906c56a2b4bd7819d36e27c1f6bcc02438

  • SHA256

    359323ed51405ce11b33376541453b3d6b55557fe9270ba015772224b59c6af9

  • SHA512

    7926151f552cd73aa4ac8122afd25be53b4f17d97a489df941fc6b140d7a0ec22bcb450d9912a26781ff3005695ac03dac500ef735495798caa379416504669a

  • SSDEEP

    49152:xbHAYmW2bWh9TGcmxVIXzEoE8KOg1mMbRnyIqe:x8GTe

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5623048028:AAG99YvLznC7p93amrVLQ5RB-YTz23XsDLs/

Targets

    • Target

      MoJmC.exe

    • Size

      3.0MB

    • MD5

      1013374ebb99df88b338ff474886c7aa

    • SHA1

      01a6e8906c56a2b4bd7819d36e27c1f6bcc02438

    • SHA256

      359323ed51405ce11b33376541453b3d6b55557fe9270ba015772224b59c6af9

    • SHA512

      7926151f552cd73aa4ac8122afd25be53b4f17d97a489df941fc6b140d7a0ec22bcb450d9912a26781ff3005695ac03dac500ef735495798caa379416504669a

    • SSDEEP

      49152:xbHAYmW2bWh9TGcmxVIXzEoE8KOg1mMbRnyIqe:x8GTe

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks