General

  • Target

    16092024_0913_16092024_PO1037596.rar

  • Size

    605KB

  • Sample

    240916-k6qx1szbpb

  • MD5

    35e76845d649e69a101a0d0fbea2a1ad

  • SHA1

    61f397aed0fc24c37b741fa046da490c93f32aef

  • SHA256

    d9d81b7f2062604548db93c379ffecbe38d5b5010d365b6b1ddeb4f856e43527

  • SHA512

    68fd4df325f9b89c1f2d111173700a2186e62f7759dcfbfcc68bb3ab990bff98ce2eb2d454cebb838eb5e6aaa63af6187e65ca61e0e4b664e3d5f5c567c125c2

  • SSDEEP

    12288:Be6NxTDiW6f5wif60ddDv0zZ6OoK8Adu72VZAExjwbm07fEw7dYq8aw:BtuW6feizD8zRd8d72VB1em07fdRYTaw

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.bonnyriggdentalsurgery.com.au
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    eL)rV@QBKA#m

Targets

    • Target

      PO1037596.exe

    • Size

      639KB

    • MD5

      2d1c2e159be49acd9da60cd08bab1578

    • SHA1

      9e5aa237b5b8a027c5a52d13db554437dbf603ce

    • SHA256

      59fcfb7a5c799be9973a2b40bf72a62ec818aff1b2416c5ad7592db25306a176

    • SHA512

      4b818ab516e8b07a13e8ed2db98bef7ca93ef21448df1e961a417eb8d872b1d5841440d56348ca90a36e9a60e12ce444bebf927f74358528e8b1915ea0f0494a

    • SSDEEP

      12288:KTnd+S4B5jktylvtQbUdXe0et+7EeCCyVFkHCduv4Pr8+QUef12BVIM1Fk7uykR:3fjktI6JA77CCyPZdu+gf1bSFkg

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks