General

  • Target

    a231867aa2f69e92df3316a690bffb83.exe

  • Size

    958KB

  • Sample

    221210-kyw43afc57

  • MD5

    a231867aa2f69e92df3316a690bffb83

  • SHA1

    7648101af557933157c7d039656b33e5f081385c

  • SHA256

    41cafe6bef34f95a60f53f863bce19203694e9799be506fc3a3b24a68ebde719

  • SHA512

    d3d5c85913c809b948793bc6760d0b364307d776ec406bffeeb52afaa8f5b274fddbe5c209ce60be2333a3ce678894c275bd16b0af818a3a89a04645e6cefcca

  • SSDEEP

    12288:uTcr2iNhVZNYYC8AxdDlZDDems2CckEyExos1ywoE+2fZAAVoVgc41Bp3Da7bLBu:ugr1nQRFKmEcrPas1B+2xHooPObLBI

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.valvulasthermovalve.cl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    LILKOOLL14!!

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.valvulasthermovalve.cl/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    LILKOOLL14!!

Targets

    • Target

      a231867aa2f69e92df3316a690bffb83.exe

    • Size

      958KB

    • MD5

      a231867aa2f69e92df3316a690bffb83

    • SHA1

      7648101af557933157c7d039656b33e5f081385c

    • SHA256

      41cafe6bef34f95a60f53f863bce19203694e9799be506fc3a3b24a68ebde719

    • SHA512

      d3d5c85913c809b948793bc6760d0b364307d776ec406bffeeb52afaa8f5b274fddbe5c209ce60be2333a3ce678894c275bd16b0af818a3a89a04645e6cefcca

    • SSDEEP

      12288:uTcr2iNhVZNYYC8AxdDlZDDems2CckEyExos1ywoE+2fZAAVoVgc41Bp3Da7bLBu:ugr1nQRFKmEcrPas1B+2xHooPObLBI

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks