General

  • Target

    b428d9df56ef2207ff0f5b5cec5e6c949a040fb1c5704ac451a4bff246423012

  • Size

    1.1MB

  • Sample

    241104-bdmv8aykft

  • MD5

    c8983675cbcb4994873b335b2147b430

  • SHA1

    ef94493e9282dbb2437a2327f2cb7c944c9a992f

  • SHA256

    b428d9df56ef2207ff0f5b5cec5e6c949a040fb1c5704ac451a4bff246423012

  • SHA512

    35e2823e9b63c74db7d8f74b23e49f34fcb52efa45035946933e580f835051168ad7fee7acaf4422f728ed446140d7295ec7f10125c702249e0dfeb2bd3e4ff3

  • SSDEEP

    24576:0jXWh2ZNUbilIEfF5qSIb8BFeaY/sALuffXCz:gM2ZNbIboPY+ffXCz

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.zoho.eu
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    office12#

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      b428d9df56ef2207ff0f5b5cec5e6c949a040fb1c5704ac451a4bff246423012

    • Size

      1.1MB

    • MD5

      c8983675cbcb4994873b335b2147b430

    • SHA1

      ef94493e9282dbb2437a2327f2cb7c944c9a992f

    • SHA256

      b428d9df56ef2207ff0f5b5cec5e6c949a040fb1c5704ac451a4bff246423012

    • SHA512

      35e2823e9b63c74db7d8f74b23e49f34fcb52efa45035946933e580f835051168ad7fee7acaf4422f728ed446140d7295ec7f10125c702249e0dfeb2bd3e4ff3

    • SSDEEP

      24576:0jXWh2ZNUbilIEfF5qSIb8BFeaY/sALuffXCz:gM2ZNbIboPY+ffXCz

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks