Resubmissions

11-11-2024 02:26

241111-cw5dna1ckh 10

27-10-2024 10:00

241027-l1tbmatqcn 10

27-10-2024 09:45

241027-lq65qstpep 10

General

  • Target

    a4fdc26d6b70eaf0a62cca36286412901f48881eae616d38b96d8ae0cb0f29c7

  • Size

    594KB

  • Sample

    241027-lq65qstpep

  • MD5

    b0f2d519ccae5bf1435264e0979770ce

  • SHA1

    212da7b3ed9c89d83941f6bb0dba889fa24f8f6a

  • SHA256

    a4fdc26d6b70eaf0a62cca36286412901f48881eae616d38b96d8ae0cb0f29c7

  • SHA512

    a50b9d27abdf6195a2689ff911e11cbc6f71cbf69d1872c765a9fc92b3a2a8e2717e260c76d1c91576d59f6b105a27b1cccc6056251dc80a0dc8afecbff3507c

  • SSDEEP

    12288:o+zgiqlYVUUJiotHw9c93n5zzsO1E48Mjr0J42lX:bl3xScRRz71Eowim

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    pPCXThF2

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    pPCXThF2

Targets

    • Target

      a4fdc26d6b70eaf0a62cca36286412901f48881eae616d38b96d8ae0cb0f29c7

    • Size

      594KB

    • MD5

      b0f2d519ccae5bf1435264e0979770ce

    • SHA1

      212da7b3ed9c89d83941f6bb0dba889fa24f8f6a

    • SHA256

      a4fdc26d6b70eaf0a62cca36286412901f48881eae616d38b96d8ae0cb0f29c7

    • SHA512

      a50b9d27abdf6195a2689ff911e11cbc6f71cbf69d1872c765a9fc92b3a2a8e2717e260c76d1c91576d59f6b105a27b1cccc6056251dc80a0dc8afecbff3507c

    • SSDEEP

      12288:o+zgiqlYVUUJiotHw9c93n5zzsO1E48Mjr0J42lX:bl3xScRRz71Eowim

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • AgentTesla payload

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks