General

  • Target

    54dedd8e31bd10edaba740b4a408ccf7f79f04af6da62c3c627bd34c88abbbad

  • Size

    640KB

  • Sample

    241031-k2kkfawark

  • MD5

    f6f781c782d9acf9244f6709bddc878d

  • SHA1

    e9eabc58c3d924de685bfd3970388d6808a365a7

  • SHA256

    54dedd8e31bd10edaba740b4a408ccf7f79f04af6da62c3c627bd34c88abbbad

  • SHA512

    8a32f3318562757d6b68787c9f39c93b3cf21f9f00341d31d63dfc452b900a37bdcb68704cf78dfc206047dc415e00b46ba1721a783d4bb7b4d3d414ce8108e9

  • SSDEEP

    12288:M9AV71q7i01nz6Fo0VD6TaySPmpyWfjYEyfJuAHFrw1DfsG:M9071q7ionIo0sTSM5jYEywswlH

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.magnatextile.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ow%{&}mti{&}$is

Targets

    • Target

      OpTransactionCyberReceipt31-10-2024.exe

    • Size

      760KB

    • MD5

      f14bc331617b1e8b5cafeabb58940b14

    • SHA1

      abaaefcd9d9a7199be027ce8e8328d2d60afa174

    • SHA256

      09ae76100f8286e762987bf307fc01d8dc7a044c90f257dcae81e77122184a23

    • SHA512

      9c1c847705a9f498c8056216f4f27675d95e629e82f7e5d26243290f048389156886deb44a74d5495b0bb8ef99c71bcd15ea6ccce3c2fbc28edc0e7d530d7f58

    • SSDEEP

      12288:ywRrXQ9TZwevdMO7xeSvOwoqqfVcPg5gsrYYaEspyOfzwE5vUezvx7UwFfRcjcQ:Twvn18qqfVcPg5gs8YkPzwE5Mwd8jd

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks