General

  • Target

    21e8e0ff64933e4a3527f1cbcd2ac4e18897c9dc34eb155ee4e425eeefd33e30

  • Size

    528KB

  • Sample

    230215-j5chkaaf2z

  • MD5

    8dbcd399727ac2e154187387b7182a72

  • SHA1

    8f1bef48ad81d8b04cac2d765e78073ccfe3af01

  • SHA256

    45b7b124a50a35dda2128d0b2b7108cd09743ae218bf0972f1afa0bcbfe24258

  • SHA512

    12d6148d9e61a919b76c6cf113e6e1b375f40d0c9ecee270112647ee039def145af511f26e08eee99f784ba7cb8db5ef5d7ca8c78df859ef21f73a3a49775571

  • SSDEEP

    12288:fo1NmzWUjCtF8V4p+vtQ+UfJkZsvpJBwYNP/I5RDsPgqo6X:fUN6RSOp5ZZsjBQ5WPgqo6X

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.valvulasthermovalve.cl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    LILKOOLL14!!

Targets

    • Target

      21e8e0ff64933e4a3527f1cbcd2ac4e18897c9dc34eb155ee4e425eeefd33e30

    • Size

      580KB

    • MD5

      98ff92b99b1c9a9adcf26da229504f19

    • SHA1

      7250a928c6806028101c0cc1d1fbc9fd095ffd73

    • SHA256

      21e8e0ff64933e4a3527f1cbcd2ac4e18897c9dc34eb155ee4e425eeefd33e30

    • SHA512

      c4b32d8121032ba3abcb7e72012a356ce6a80e0ac075a0afdc151072f6e31a6a43e0c1e053803fec10cf6683df1571569eaaf0c9185cb50818269fe4f762bdf3

    • SSDEEP

      12288:+neB2gFraFjCtF8H4p+ftQ+QfDkZsv1JfwYNl/srRDtzSY:+nY22raFSm55ZZsXVErHz

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks