General

  • Target

    cantlose.vbs

  • Size

    804KB

  • Sample

    230518-q9y1paca68

  • MD5

    1c8636ac78fc9ed8fbdafe0cca001a5a

  • SHA1

    a8fd7ccc2ef01955208695b84e1b758ce0e1ac17

  • SHA256

    1ecd2d55db79d55f1923ac98e1edf145d5d4ab3260c9dfeb7fa0986aa5414c8e

  • SHA512

    27686708b200903b974be0d1f8d022dac77c0b3550995c361696b1a0256f653ea4de1566b20b579a4eb33cec4990d3b99735a9a1447e1d149d7859e3bf1c103c

  • SSDEEP

    12288:YYF0k656o6B6+6+6+6+6J6p6P6u6O696n6+6S6K65636X6t6u6w6+6p6F6+6+6K8:p

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.solucionesmexico.mx
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    dGG^ZYIxX5!B

Targets

    • Target

      cantlose.vbs

    • Size

      804KB

    • MD5

      1c8636ac78fc9ed8fbdafe0cca001a5a

    • SHA1

      a8fd7ccc2ef01955208695b84e1b758ce0e1ac17

    • SHA256

      1ecd2d55db79d55f1923ac98e1edf145d5d4ab3260c9dfeb7fa0986aa5414c8e

    • SHA512

      27686708b200903b974be0d1f8d022dac77c0b3550995c361696b1a0256f653ea4de1566b20b579a4eb33cec4990d3b99735a9a1447e1d149d7859e3bf1c103c

    • SSDEEP

      12288:YYF0k656o6B6+6+6+6+6J6p6P6u6O696n6+6S6K65636X6t6u6w6+6p6F6+6+6K8:p

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks