General

  • Target

    b1ffeaa164e3794b364d3f9aca4f02d2.bin

  • Size

    25KB

  • Sample

    230331-casgzagc49

  • MD5

    ac9ea3b9ec57c241e5f4653bfd60d2a0

  • SHA1

    bc2e2e01cef33e92d23f4228e7d2e5df9eb5bd1c

  • SHA256

    82b9b8a27c9207c488225a48956b069210aa8aafbc33f965c564b1079cd3f231

  • SHA512

    cbc617849e3eb90c6c1284440c63d0be4eb6c67a002d3f1c718c914480e700fd5b748171d1ea924c7e2e7ab377424191d0b8905af12060ebc49f5ea8abe51f44

  • SSDEEP

    384:HiZLbAs7t/jwHkg5oU49syrjdzJlJUwQ3Wj3ggtx8xL2UgJ4VImjUuoCLsGu40Qa:CZnAqUHkg/4G0jJ8mE1+JDm4osPQwX

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.sisoempresarialsas.com
  • Port:
    21
  • Username:
    droid@sisoempresarialsas.com
  • Password:
    .!LV?]FKWxUy

Targets

    • Target

      ad9ae0fa9d69baa98a9a0ba1660e93b6f87c8f1f226b01b0fa903dcb84cac6dc.vbs

    • Size

      867KB

    • MD5

      b1ffeaa164e3794b364d3f9aca4f02d2

    • SHA1

      3aaaddbf7c7c21b2b5886eefa79e0abc7d6b8d69

    • SHA256

      ad9ae0fa9d69baa98a9a0ba1660e93b6f87c8f1f226b01b0fa903dcb84cac6dc

    • SHA512

      b84776e41414252f6da59fc26dc12560b29d8e0eaf9a515cafcd47bd15d6702ee7ee3c2f0fd82d23ea862381896b6438851c8e4aad7aa5c5ca83efca93f3e396

    • SSDEEP

      1536:D5FjaXGxbMN75ro6BHB1ZoVuwDTTTTNVBTwqq/YvldOJl7dhWFHFbTTYTEsTT7l2:fQZ4x

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Email Collection

1
T1114

Tasks