General

  • Target

    22092024_1315_21092024_NO7367027738832_789257820.doc

  • Size

    642KB

  • Sample

    240922-qhegza1fnh

  • MD5

    b16595c7c02434cb4e95e46eaa864262

  • SHA1

    d9ed513e1cc6a3538c12fb404ff576c32028a3bd

  • SHA256

    3e1ba9d9fae253f1cebc7ddaafbc893f10cd8fd9b644e4b18f4e4f06f3cb62b0

  • SHA512

    9b362dab6d79482201b789eb12335f3a9cc0e30663e63cd40ff169084ec4284cf957914f40b5e15f75215e19194dc84c3a24462bc39383e79dc626dcb11a1e9e

  • SSDEEP

    6144:ewAYwAYwAg+bU29khgINRyJT8cai2+QurA0nI:n9

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      22092024_1315_21092024_NO7367027738832_789257820.doc

    • Size

      642KB

    • MD5

      b16595c7c02434cb4e95e46eaa864262

    • SHA1

      d9ed513e1cc6a3538c12fb404ff576c32028a3bd

    • SHA256

      3e1ba9d9fae253f1cebc7ddaafbc893f10cd8fd9b644e4b18f4e4f06f3cb62b0

    • SHA512

      9b362dab6d79482201b789eb12335f3a9cc0e30663e63cd40ff169084ec4284cf957914f40b5e15f75215e19194dc84c3a24462bc39383e79dc626dcb11a1e9e

    • SSDEEP

      6144:ewAYwAYwAg+bU29khgINRyJT8cai2+QurA0nI:n9

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks