General

  • Target

    d90c61a0a10d5e62fbf8223c15fd9b2e05a25426294b67113286e39848b5423e

  • Size

    835KB

  • Sample

    241122-fbgnmsvkcx

  • MD5

    3532d8ab3600b59b2ddbec97094ef831

  • SHA1

    3da6ac379af8fef17b6108f6610af07edee30163

  • SHA256

    d90c61a0a10d5e62fbf8223c15fd9b2e05a25426294b67113286e39848b5423e

  • SHA512

    10e9036a685104bc702a617eb83b89c25273a43362446fbedef7dee44615be832e593475eb4b14b962b2d673766f3339f051d11683619d759f4cd0137f150225

  • SSDEEP

    12288:g7/9WflU/9dlqGzq1ejQrMR6DaoLLeM1+kFqMKj5/A:8ylUdqGW1iCM+S9kQ9/

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      d90c61a0a10d5e62fbf8223c15fd9b2e05a25426294b67113286e39848b5423e

    • Size

      835KB

    • MD5

      3532d8ab3600b59b2ddbec97094ef831

    • SHA1

      3da6ac379af8fef17b6108f6610af07edee30163

    • SHA256

      d90c61a0a10d5e62fbf8223c15fd9b2e05a25426294b67113286e39848b5423e

    • SHA512

      10e9036a685104bc702a617eb83b89c25273a43362446fbedef7dee44615be832e593475eb4b14b962b2d673766f3339f051d11683619d759f4cd0137f150225

    • SSDEEP

      12288:g7/9WflU/9dlqGzq1ejQrMR6DaoLLeM1+kFqMKj5/A:8ylUdqGW1iCM+S9kQ9/

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks