General

  • Target

    da3723cecfee4e8bf281a60ef8025ce18c9a7446ee4894934d4a1fd575620f30

  • Size

    594KB

  • Sample

    240916-q947ps1fjn

  • MD5

    772f6cf1b248a3dca46efc9c418160af

  • SHA1

    d2b0e8ded2f86883656ecd01d1feb8f9283a2ac9

  • SHA256

    da3723cecfee4e8bf281a60ef8025ce18c9a7446ee4894934d4a1fd575620f30

  • SHA512

    3da3cdc15f1d818519321d90eba9ef82d6db3f918072ca1571dbebe3dbcc5d7099b9236d17e619a0632f485ee6a9cd5f877fb68186e577fb0ee71956a8706137

  • SSDEEP

    12288:BC3PZXHZjf45tJkiGF59CKpbG4d3qjhobwXJR9Bo+Cx7bB4fbw6A:BCfZ9f45tyFbhc4dyobwXVBdyEbA

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      ed70bf326cea089f65ec4d96d7874d8cb65f5ae5bb12bb66ff0e9f6b4bde78ee.exe

    • Size

      3.3MB

    • MD5

      37bbc0a6a399418331028aab64f4934b

    • SHA1

      ab202974d765cd711cdb1174e06703e3e7f8f6fb

    • SHA256

      ed70bf326cea089f65ec4d96d7874d8cb65f5ae5bb12bb66ff0e9f6b4bde78ee

    • SHA512

      b9f170fe33ec79f6a4c9f0b01a0536a67cf4037957ae26a0523e461091f1cb7341b8f89ba8da46e189c1084503b854f8804dc230e844b6b5c50e4b132c740882

    • SSDEEP

      24576:HQ2UiVzd4oKzRpnOQGOvP6Lryocw1N/qMJ:H+iVJ4oKnCr/d

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks