General

  • Target

    be2bc33b9acb5b939bc7cba84521cda274380a09b4acbe6e9696b8183352b5e8

  • Size

    565KB

  • Sample

    241031-z1jn3svngr

  • MD5

    d5f46247a99f52bc1464c0366e03b24c

  • SHA1

    4a19b3420b2b3d58ed89f553644135015405b1bc

  • SHA256

    be2bc33b9acb5b939bc7cba84521cda274380a09b4acbe6e9696b8183352b5e8

  • SHA512

    11cf62f5d2ee48635b635b9750fb0d4b2b73c3e2514d75f00e99330445bd8124b8b98d3bb624cba0e14769cb8726493e232369d678d748ef958bab78221d9e91

  • SSDEEP

    12288:FuzVOiK53tnv1Z5TpVqBvwz3GNjSTGW4tH:oGv5XqViTGJ

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.albaniandailynews.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    125875.jUkT

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.albaniandailynews.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    125875.jUkT

Targets

    • Target

      be2bc33b9acb5b939bc7cba84521cda274380a09b4acbe6e9696b8183352b5e8

    • Size

      565KB

    • MD5

      d5f46247a99f52bc1464c0366e03b24c

    • SHA1

      4a19b3420b2b3d58ed89f553644135015405b1bc

    • SHA256

      be2bc33b9acb5b939bc7cba84521cda274380a09b4acbe6e9696b8183352b5e8

    • SHA512

      11cf62f5d2ee48635b635b9750fb0d4b2b73c3e2514d75f00e99330445bd8124b8b98d3bb624cba0e14769cb8726493e232369d678d748ef958bab78221d9e91

    • SSDEEP

      12288:FuzVOiK53tnv1Z5TpVqBvwz3GNjSTGW4tH:oGv5XqViTGJ

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks