General

  • Target

    Air waybill number 290132727 Physical weight 1 05 kg Seats 1.gz

  • Size

    423KB

  • Sample

    230201-kvfynscf65

  • MD5

    d6f8fe93185b1f97a8ded2e50f4affb6

  • SHA1

    c2af7cff7678443b4a8aad601e8af7c9965bce20

  • SHA256

    7a5b8b448e7d4fa5edc94dcb66b1493adad87b62291be4ddcbd61fb4f25346a8

  • SHA512

    10246ae5aa166571a23401b9dec2032ad78820f5d5c1e3a1e07becd5355a99133257cf07cd30d475ea9b095c81839e5b985cfa7be0b3b2a948d62ff371840406

  • SSDEEP

    3072:jSO3hXUswB+yhvWp0KnRRd42KpIguhaEin0mNXSbN22WBeq:/5O+yV8TnB4pIsEc0mhSbI2Wf

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.mgcpakistan.com
  • Port:
    21
  • Username:
    infoo@mgcpakistan.com
  • Password:
    boygirl123456

Targets

    • Target

      Air waybill number 290132727 Physical weight 1 05 kg Seats 1.exe

    • Size

      300.3MB

    • MD5

      5868c50e2dc1435ef5c2c33ec04f70d1

    • SHA1

      970a43bb83cde2b80f5ddfa5157b6e5f9e3449c1

    • SHA256

      0963e88faac0d46f2bf382518aabb094fc9429d309e6eb7d18d4fa8c0f32d667

    • SHA512

      76ca95d5b222d8c53ea9a938039168f71e328b3b108187ff1e7fe11c5686978cfadd7919e53ece493384bdf4e8fd5fd924585abbd786c38ae63b9734c526e3b7

    • SSDEEP

      3072:s+LwLS2Vbqe+uZtuQ0UzDNwwh0wR2c2vGZ9pwPtV3vJPg1NXHII61gdZwgJRZ/2u:wEe+iXFBwhw0cvxwV3vaHIIiHFM

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect PureCrypter injector

    • PureCrypter

      PureCrypter is a .NET malware loader first seen in early 2021.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks