General

  • Target

    1dcbab39d8af3205a4f6c01e7dd3ce6dbced795c300013f1650d812e80aac580

  • Size

    697KB

  • Sample

    241121-jk11esvjbj

  • MD5

    94c591be2372a5ce973a3052ea552b37

  • SHA1

    0b2b55e50786af03b2c75e084946891da9e422e3

  • SHA256

    1dcbab39d8af3205a4f6c01e7dd3ce6dbced795c300013f1650d812e80aac580

  • SHA512

    060f0117a6816e9c5681a7fa0632527205484ad3b8167a3dbb55e5b839b0a7439bd020931e38dea5ebecdafd14109cde13f936dc02a01aa0a41afc9d5de83c10

  • SSDEEP

    12288:7Kv4H0zp+8uxK1ZpWXTjjEhMqL+8mfqgwnB18VapGL05R7KamcdsqqVyZkpU:7q4cw8ODHOMqLESg4Bt205Qah6VRpU

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.starmech.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    nics123

Targets

    • Target

      REQUEST FOR QUOTATION - URGENT.exe

    • Size

      959KB

    • MD5

      576bf1414c3a6cedb920100cffd76442

    • SHA1

      9cbed7b8a4d8a627efb136d56739c17736ae5fea

    • SHA256

      9af1bebf820242bdf04bc9a02ec681cac738353998ca9474716febfeb6bb200d

    • SHA512

      b4bec576df727d792e414733a37bcd593c0469fa9b45d475236873fc26b33e7c11095ae4df00af1fd6c2a6587c1c77e2c5f79151e6caba40d66ce8c96a6d1011

    • SSDEEP

      24576:3ijXbz23zxW9ozm3ai+BBvHLAGtMi5Qdsw:Kz29WYmtO5rFtMi8

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks