General

  • Target

    293df280f6f5ddcf8496f8a81bb25013c2b18085f4c4454db3b5581be3129711

  • Size

    528KB

  • Sample

    241122-bljtja1mds

  • MD5

    4b17547324dba526ddafc86c6368f645

  • SHA1

    026ed98d3722601686782e8601eb76dcafbfdc92

  • SHA256

    293df280f6f5ddcf8496f8a81bb25013c2b18085f4c4454db3b5581be3129711

  • SHA512

    ade2c5a7208f3ada3521c37e3963485da2d4cf592ee3009b4a10a07d9505c14746b4fc2424ee0cb93c84f439ac0224dcfbbe1741c70d0558a9cca926a147a63f

  • SSDEEP

    12288:KOywMuiR3dtTTEJAW4wuMqnZsfTaUHSXEjzZH5mLhavOXgt3omitl9c:KN9uiR3bn2AW7aq+USXEXgIr

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Galadinma26

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Galadinma26

Targets

    • Target

      293df280f6f5ddcf8496f8a81bb25013c2b18085f4c4454db3b5581be3129711

    • Size

      528KB

    • MD5

      4b17547324dba526ddafc86c6368f645

    • SHA1

      026ed98d3722601686782e8601eb76dcafbfdc92

    • SHA256

      293df280f6f5ddcf8496f8a81bb25013c2b18085f4c4454db3b5581be3129711

    • SHA512

      ade2c5a7208f3ada3521c37e3963485da2d4cf592ee3009b4a10a07d9505c14746b4fc2424ee0cb93c84f439ac0224dcfbbe1741c70d0558a9cca926a147a63f

    • SSDEEP

      12288:KOywMuiR3dtTTEJAW4wuMqnZsfTaUHSXEjzZH5mLhavOXgt3omitl9c:KN9uiR3bn2AW7aq+USXEXgIr

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • AgentTesla payload

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks