General

  • Target

    demeonay.tgz

  • Size

    846KB

  • Sample

    241007-nae3eswbph

  • MD5

    b448b8e143c4a2c512a9963133162e89

  • SHA1

    70c8fea5e45fef06fef7501baa25d072b06478d1

  • SHA256

    5dc440ad55871976c55f08048e7411d242a64324065fc91648d8771c2bfabce9

  • SHA512

    3b9be95552400e69262284aa586f1cb032d284b4654d61f7c854c63efec2785fc83d23005a42accfcda9a5e935dc14ebbf9718ab98e8c82aa327fe4d81a8e00d

  • SSDEEP

    768:DtF5w+B6dQn/q7EZnkrBnWEnVZaWTQ2Bp0dAgdH9WOJLEq:15l/VtbWT9p0dAgfJ4q

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6828335029:AAHOq6iD_8Eg5u6FhmWF0NHPcKj1jLGtRk4/

Targets

    • Target

      Ödeme onayı.exe

    • Size

      810.6MB

    • MD5

      467f7cbaf02335a9c92745bf88f6bd4f

    • SHA1

      bdde0d6a94a4d40cd3fecfb33ddff0d77727d233

    • SHA256

      d7eed63546caf4b8351e4dd2f87ffb46579177b2c6c559d019f2af86009e4821

    • SHA512

      8b103e68a68bfdaf830ab41f168274cad1b8896506c0219df8c4ba4060f9e57d5967dfdd9351f971ee35ec9f9ed7d9fd844ef48dc1ae0b2288b953613a08038f

    • SSDEEP

      1536:bjqr2ex0i4wnVqlBPwSP2nYQsH630VDH:bjqKex0i4wnVwwKlsEVDH

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks