General

  • Target

    c0516d9cad09ae1382c71f32c3e8dbe4733c6a6dde07956161d62dcb09db0b5b

  • Size

    640KB

  • Sample

    241114-p5kf3azbke

  • MD5

    5d50f4c83c18772e9ca1b6612409168c

  • SHA1

    6b6cba0ca0fdf312b2cd6a6b987684f98ac4fbe6

  • SHA256

    c0516d9cad09ae1382c71f32c3e8dbe4733c6a6dde07956161d62dcb09db0b5b

  • SHA512

    484d6c4ca0863e29338e240823b65fffdf99a10c4900bf8e975f0ab78d9e52df4cdc508a55a20380bdbc544f3412c244d9dfa5fcc92d19403ff003f51e650569

  • SSDEEP

    12288:07JMjqvylx1MfZwZrNQSZA5d6pV4fZBF0G/0Egu1zNSEsXWh1W:0+jLl8Zq+MLpV4h3bc7gRh/h1W

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.apexrnun.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    %qroUozO;(C2Rlyb

Targets

    • Target

      yyKuc4Eg5i3P81j.exe

    • Size

      744KB

    • MD5

      3e950f49d054b5e8cd4cf569f63681a5

    • SHA1

      4e850f0acd0c1601d3229c8f1c9f5b6f4c0d09ee

    • SHA256

      18f71d49384f2295251ad2e02bad618254c26f9b719ceaf641f077a00ac7d1a6

    • SHA512

      30e202088fec6e6b2a907e32530f3735b87d772b377248718d643e8fdc677922ec6351c819f3644522f78e9409bedfb20cfe11436105de38377a8128ad05bf59

    • SSDEEP

      12288:fk5lCJVM6Z3fyRNtx1X0GLj7MPFCV43pAlJB4bfZ26STgZYChuLUr2m/4i:c5lCJVyNtMGvyF93p0mbh26BhhiUFg

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks