General

  • Target

    61a909290010897c2e5059b4f24056da80e842d7c24b534475060ca8c1c3925b

  • Size

    31KB

  • Sample

    250704-nrt8nssmv8

  • MD5

    0f87f8a7ed4cab5f85daf2cdd9c3bbe8

  • SHA1

    78790a9fcb98d23211167d3b3923c7324f8ddfa7

  • SHA256

    61a909290010897c2e5059b4f24056da80e842d7c24b534475060ca8c1c3925b

  • SHA512

    7e03cd28726a630f1a793410c17ed03425fe0c7135186801fde521b7cbad3e9e6e7089e95ca85e34128dad4fedf0fcddd2f32d717567c5061745959c307c0986

  • SSDEEP

    768:mxdPX+pDza+UvjKKS8QTakm6y8Kx1iX9sTSJeK58Kg7m:mvqva+UbcL2keEySJvcm

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Asco Valve Shanghai OrderPO-011024.com

    • Size

      50KB

    • MD5

      0c90379314f161df6b92c70bb2c73813

    • SHA1

      525a23f91cbccdb38acb8bd90ba8c8daffb63749

    • SHA256

      50cc3131dc874fbef87b5926cbe1803b0586232c73420ef4f6b6542d8c51b12b

    • SHA512

      6d793955d89e2cdd9266de653ea7f1b5e5a3db56ac4b06aa1e08d843aab1e903b79df0b768fdfdf49c596a5fd6e5bb4cf2a59e40d2c30b9adf331ba0db420512

    • SSDEEP

      1536:Icg2pI81jNYIVedwF0ECg0iA6nSvWbenW6r56zT:IcgSvtNYIoG+inSJP56X

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks