General

  • Target

    e493e598a17764043a1dc1600cb225aa2200db8f010473878f31934392f1d805

  • Size

    638KB

  • Sample

    241115-bkg9bazlek

  • MD5

    7b1d151bfebb84a7479ee62eb1bd4718

  • SHA1

    e13ec176811455af5cfc175f4e2fe244e6844f8b

  • SHA256

    e493e598a17764043a1dc1600cb225aa2200db8f010473878f31934392f1d805

  • SHA512

    8c0ca73865781d1dc68362100535d2ab31a7a09754e0ba6aa581f5acce32fd3c1dd68c1508b6d08584656dc144b9e63b0464752f82b255f7a049115d929816b3

  • SSDEEP

    12288:p+dpWbnAZX4GFGsHAcpERHLHxejN/zS7isNAMmOy:bQHA8ERrSM7iBMmOy

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    zqamcx.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Methodman991

Targets

    • Target

      PO NO170300999.exe

    • Size

      769KB

    • MD5

      e3520bf4517124bd9a2a4fc57b5127dd

    • SHA1

      6f375663293e24e40f5f8a525cc6b2000b19e088

    • SHA256

      cbe1d843259a92581d16088969b0ed1758866626b4ae37e7445abe6bf099f155

    • SHA512

      033517302d5cefdca7d1d7021e8926ad02d448fed6ab80f0e30e69cd8670d55acf33fc487f4f9db622972dfc1a35fb37a7b8264a70279c428aebaa76860e9191

    • SSDEEP

      12288:5W3lK5SX0mH7zCJVMMEpWREG79erWZJP+43as57S6QCWcxxojN/ze6l159j+ukR:EzCJVbBEGRerUJd576CWciUc9j+1

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks