General

  • Target

    aa49bac60c112bacd7f6c55e698c573a621ae3187601f739b00392bd137e1ba5

  • Size

    678KB

  • Sample

    230203-t5ja8abf3v

  • MD5

    607d8ff147f8f5cfc825c159319684ef

  • SHA1

    827b8de4f2db33ac5d9a43445d71d1c003827ae4

  • SHA256

    aa49bac60c112bacd7f6c55e698c573a621ae3187601f739b00392bd137e1ba5

  • SHA512

    54b224478acacb7249ae8bfb822341f366bebd93a255f8c63c0c2d169a81276fb2a4305c9e1c3918311112dfd960acd66e848afbabe8b17c7526ad3bd180c3f5

  • SSDEEP

    12288:8cMkhWAEQ0CQncg1mbwhvsZEatpSe220XBUohsNbL7YJw:CzQ0CQcdOtkkeN0XBUoheV

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.sentientshift.com
  • Port:
    21
  • Username:
    senti@sentientshift.com
  • Password:
    @sentientshift.com

Targets

    • Target

      aa49bac60c112bacd7f6c55e698c573a621ae3187601f739b00392bd137e1ba5

    • Size

      678KB

    • MD5

      607d8ff147f8f5cfc825c159319684ef

    • SHA1

      827b8de4f2db33ac5d9a43445d71d1c003827ae4

    • SHA256

      aa49bac60c112bacd7f6c55e698c573a621ae3187601f739b00392bd137e1ba5

    • SHA512

      54b224478acacb7249ae8bfb822341f366bebd93a255f8c63c0c2d169a81276fb2a4305c9e1c3918311112dfd960acd66e848afbabe8b17c7526ad3bd180c3f5

    • SSDEEP

      12288:8cMkhWAEQ0CQncg1mbwhvsZEatpSe220XBUohsNbL7YJw:CzQ0CQcdOtkkeN0XBUoheV

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks