General

  • Target

    953a44794418c979499cd3175d0ea6f09faffed22ad238521af611ec8880d2a4

  • Size

    748KB

  • Sample

    241122-bt9pxs1nfz

  • MD5

    7704da3d6a858dce0dc8e10e9f9d7522

  • SHA1

    da297718714f8d998f4e3a60b75d8fdf575e10be

  • SHA256

    953a44794418c979499cd3175d0ea6f09faffed22ad238521af611ec8880d2a4

  • SHA512

    f4f31a1eb6b33c14069f39fd916a7b05c2de823bf2089845d0e146a3ca48089904e37f368a449c4e2eae4e5501a3dac19830029f726e0bbfd7822d74f1fa118d

  • SSDEEP

    12288:sF3wtfRzxWWQhOu24pv1qJIqkzMjsXSf/hHgo1WYVPZmsh4oEZcQFyyS0+EriA3p:sFMpzxWTTvAKqWtMpAizLB1qvFViEriZ

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.showpiece.trillennium.biz
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    3KJ[T.3]fsSW

Targets

    • Target

      953a44794418c979499cd3175d0ea6f09faffed22ad238521af611ec8880d2a4

    • Size

      748KB

    • MD5

      7704da3d6a858dce0dc8e10e9f9d7522

    • SHA1

      da297718714f8d998f4e3a60b75d8fdf575e10be

    • SHA256

      953a44794418c979499cd3175d0ea6f09faffed22ad238521af611ec8880d2a4

    • SHA512

      f4f31a1eb6b33c14069f39fd916a7b05c2de823bf2089845d0e146a3ca48089904e37f368a449c4e2eae4e5501a3dac19830029f726e0bbfd7822d74f1fa118d

    • SSDEEP

      12288:sF3wtfRzxWWQhOu24pv1qJIqkzMjsXSf/hHgo1WYVPZmsh4oEZcQFyyS0+EriA3p:sFMpzxWTTvAKqWtMpAizLB1qvFViEriZ

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks