General

  • Target

    9dae147fba1359897a58e48f998e32da5abb67031340abd39f99301f8ea373b3.rar

  • Size

    699KB

  • Sample

    241111-pp3byazcje

  • MD5

    7afb60892f68e0bea7541607b7007376

  • SHA1

    1b8d1f1e4c127827c478ebebe7d0de1097f2fa55

  • SHA256

    9dae147fba1359897a58e48f998e32da5abb67031340abd39f99301f8ea373b3

  • SHA512

    5be095ebb15f11eaa9b86e26cdbff7f19a313dee723f92630f6c7919891ebd4a6d51c9a2b536032bf1bc125d54dbd9bd1a83ad86e8a1024152a83fd393871324

  • SSDEEP

    12288:5K6W4IYw8+hnjoF4sL5KHORy91ry7QqxMEn2xLVMIHnoeiR/BVGP0:5K63IY3+Zj1sL5xYQMEnk7IRR/Q0

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.pgsu.co.id
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Vecls16@Vezs

Targets

    • Target

      QCP6Umel59hDYWj.exe

    • Size

      863KB

    • MD5

      fa00c5e8af643873a2b1f21a2ad37e53

    • SHA1

      65d79942fcc89adca579223ec8d84adbabdb8da2

    • SHA256

      9cd7438958ebc2fd54b69944e111165a98002937ada73d4969cf1a5b914dcb43

    • SHA512

      e96054c9d1b709c72b8e4fe69b2e2e8e36b91e2ca82159eccfd99c79bade92ee1a1125de96f4ea5a8b4b10b4604ba13fb5cdece694d4828fbaf6b6a7f4f7496e

    • SSDEEP

      12288:uqFKqbdlEmbGq/KVtfLky6vXhcmAv++ii31whOGYgOdc9RsODSBfiuMn:uq0qbkmN/K7o/X2NZiifGYgPrmBfXM

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks