General

  • Target

    f02584899b5df46577876830f08f4c3d0e71907c7a5938fc932c8db25fa72e0e

  • Size

    655KB

  • Sample

    241031-lfhz6atpds

  • MD5

    3b3547af65a6b0af1f737c0cc2ceb210

  • SHA1

    ffe4b2cb4b9d92d25ab801013cad4a75930b75e4

  • SHA256

    f02584899b5df46577876830f08f4c3d0e71907c7a5938fc932c8db25fa72e0e

  • SHA512

    3001101f85f5bbf361c8a366566f0243ea4b1f413cad5d55b82a963482adc9f9109ee3cf441299ce28d7a94fb5c32221e70439e12b75b27e41c683ba7b90d1aa

  • SSDEEP

    12288:uMTmly8qSJe+5iSOn2vQKUvNYBizP3w7tnMe/C+/ly+5LVRBH2lCC6UUgPNH/OwZ:pl8qSQ2IxSBiLgRMeK+/lxxUaUNRZYhM

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    zqamcx.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Methodman991

Targets

    • Target

      Musterino_94372478_Ekno_101_20241031410530_ekstre.exe

    • Size

      782KB

    • MD5

      246168111c9424560475bbfc24a7fdae

    • SHA1

      2ce0203983ae35d04bfdc9704f4dc439e86d0e9c

    • SHA256

      ba22a1fd5ccbbc56dd6c30c556637865c156a5e332e6a718c336b9d591b86a9c

    • SHA512

      6f4eaa6447b8d96be937e32ab79736866745bc40207d9ec4a714459b35a285d9be8dd51f0be46970d576cd9afab177429068e986aa18a6c6395e3a56e98d6796

    • SSDEEP

      12288:jBRrXQ9TZweQjcQNz2vQKCvNYLI5P3c73nMINla9t7QTytCkDhLMnQPQkR:VwQjdNyItSLINsjMIwt7QOtldMQf

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks