General

  • Target

    0000c5421cc5825b721172d62380ef7a41951b119082b1414cc11cb2b643e01a

  • Size

    905KB

  • Sample

    241116-bgwbrswgmb

  • MD5

    adda41bc016e39fc416640904a8019ab

  • SHA1

    310b1226b93600693cb20d719cb3f3ace029012e

  • SHA256

    0000c5421cc5825b721172d62380ef7a41951b119082b1414cc11cb2b643e01a

  • SHA512

    405f8e5ed648cf7226fa1a4cde6367217dcad3a3b9ca678ee6e30e66c45c0f7daa4ab65f130973cabffb9c0da0bf091ebd074c361166ea18d75012b4d45a7012

  • SSDEEP

    12288:MTf6wtJmcKE2pb57I8n+mVjExISjGwIVYvzsEmUkPa9f1BFLKnqrOyb:M+C2t5s8+GY+6Govzsdv+1CLu

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    @Veronica24

Targets

    • Target

      0000c5421cc5825b721172d62380ef7a41951b119082b1414cc11cb2b643e01a

    • Size

      905KB

    • MD5

      adda41bc016e39fc416640904a8019ab

    • SHA1

      310b1226b93600693cb20d719cb3f3ace029012e

    • SHA256

      0000c5421cc5825b721172d62380ef7a41951b119082b1414cc11cb2b643e01a

    • SHA512

      405f8e5ed648cf7226fa1a4cde6367217dcad3a3b9ca678ee6e30e66c45c0f7daa4ab65f130973cabffb9c0da0bf091ebd074c361166ea18d75012b4d45a7012

    • SSDEEP

      12288:MTf6wtJmcKE2pb57I8n+mVjExISjGwIVYvzsEmUkPa9f1BFLKnqrOyb:M+C2t5s8+GY+6Govzsdv+1CLu

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks