General

  • Target

    6aea3d218ef7cef5a92e712a51d9d3871cac3c82805ed9ae02c8baf8d8f0d3b9

  • Size

    45KB

  • Sample

    240925-xerrfs1emm

  • MD5

    95585d530994212a76d2884c4c000eb8

  • SHA1

    b11f6bec6ba8989333a15c657a5dabaa57a611f8

  • SHA256

    6aea3d218ef7cef5a92e712a51d9d3871cac3c82805ed9ae02c8baf8d8f0d3b9

  • SHA512

    2ba7fd17ccae122eb2bd3bdcd8755b05a812ef93f8bc71b023d5281fabc7f24d2e949b72dfde3b1bd4a2ff44641e53094a8833e4f314254124bf6d34d0015a71

  • SSDEEP

    768:ilZGWhrA7q/CvhR8tWm98aKbQHw9PeSqjwDdKIO/9egR44Cgp38rYvw/cBYdWCp3:ycerA7q/C3z1dbQQleS8wC8+4jW38MxK

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      CCE_000110.exe

    • Size

      99KB

    • MD5

      7f1f15a85427da202d74198b1cd039d9

    • SHA1

      ca883d37cb9e51c1b2cbeb8ab7a398f4f95df187

    • SHA256

      44fa04f2cb49eb5ee3d7c3d3dfafa2a53137f6e1dc8edf4b6c21d6c7af487e06

    • SHA512

      14a9658d4658aac38b18b6a2c6eb5be6c631099965b15dda7d0ae5aefb96093afc4c885cce7747da2fc9ad8e1ca8581a7a4d7bec838ea4cb23ca990108d94590

    • SSDEEP

      1536:dTuLU6Ez6NhN4ahmbtbJRmYUaNuquK630VD1:dT96Ez6Nz4ahmBV9UaNDEEVD1

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks