General

  • Target

    3a624f34cbe7df5ec9b2c1ce3384b80f71d7dedf9373c80f560f05e4fc8730ac.zip

  • Size

    1.3MB

  • Sample

    240922-bjmseavcmb

  • MD5

    dee8cfff9e63222d7518be1f2bc68893

  • SHA1

    0f1a3c35c5465ed673d6176c3a955eb5850be9ad

  • SHA256

    3a624f34cbe7df5ec9b2c1ce3384b80f71d7dedf9373c80f560f05e4fc8730ac

  • SHA512

    ea207b979a436ce67b254b39f2be962a934d055bb9298bd371f1470cd8258dc1a12dd21e78a54c5cbdf888bdceeb52998307ee4744fab418028a783b3e5003cf

  • SSDEEP

    24576:jdgdJvaOODvn+yP577yDRxXoslaWDaUFnB6n5SscMmsV5IbiytW3qhaBFOHoOMnC:GuGyx77yFxXp3ZB6cscMmkYiNMaBFOHv

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      SPW AW25 - PO.010 SMS.exe

    • Size

      1.4MB

    • MD5

      7c89b48a2752a771eb6457fe2fea1d8e

    • SHA1

      afb602ef798b23f400fd3d474cb570aa781797c4

    • SHA256

      3d1e16dec7f88b3ccdf7197c64a6eea6a7d3599c12f34893d60012ffd61f15ce

    • SHA512

      9338a3817216563677573599d5dd3cacb4be084a2e46c77516d56a207ce7d8d06a376ea4be1a7863ffeb823ae803b891ef947cfb81d4813a52ce152038e97d48

    • SSDEEP

      24576:OnpUwegOzvr+8J97vsJRx1osJYWDaK9rB6hjscMmQV5IPiMtWb05UaaYy6nnjqKh:OCri8H7vsjx1V15B6xscMmY6ivQUNEjF

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks