General

  • Target

    Requirements_010725.exe

  • Size

    642KB

  • Sample

    250701-gbrz2sen8w

  • MD5

    cf27e4c1117cb4b1d1791c4f3288d86a

  • SHA1

    3a591449ef6e2b3cad25f0e4319b31be2633cb87

  • SHA256

    ef0d48f4ab28cc338fc29affea2e019f1aa34a54c4220b19a13f57f73f9f81a3

  • SHA512

    16957c6f30ab70b6f4d022548e16934934fd253fba8d58e7880bd065577af7541ecbf84eb7897e2309c5ecbc3a67287dad73f37a651b5a95b664f7e7b266fc36

  • SSDEEP

    12288:i+idMeVS1HQfA1UCcX9In9CuNL5DTXc9zE7ynbx:Ig1mAiCt9CslTEzgynb

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Requirements_010725.exe

    • Size

      642KB

    • MD5

      cf27e4c1117cb4b1d1791c4f3288d86a

    • SHA1

      3a591449ef6e2b3cad25f0e4319b31be2633cb87

    • SHA256

      ef0d48f4ab28cc338fc29affea2e019f1aa34a54c4220b19a13f57f73f9f81a3

    • SHA512

      16957c6f30ab70b6f4d022548e16934934fd253fba8d58e7880bd065577af7541ecbf84eb7897e2309c5ecbc3a67287dad73f37a651b5a95b664f7e7b266fc36

    • SSDEEP

      12288:i+idMeVS1HQfA1UCcX9In9CuNL5DTXc9zE7ynbx:Ig1mAiCt9CslTEzgynb

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks