General

  • Target

    84e89e218dd82b2242aef5d3edc0032a82b3c63dd05d15de17634bf1a631bd07

  • Size

    340KB

  • Sample

    231209-cgpdwsffd8

  • MD5

    c9dceefdbb1e81aabccc374cd4d4569f

  • SHA1

    d14d0e12040b4f164929426fa1b9c4b57bcd41e4

  • SHA256

    84e89e218dd82b2242aef5d3edc0032a82b3c63dd05d15de17634bf1a631bd07

  • SHA512

    adf87ae5821dc2c39460da738088fc9d6120b4abc38d2450a98b50d09e281bbf94bb35dba3d640a773baa865180a223101eee96493a48f92d415948af25e4090

  • SSDEEP

    6144:6EQZOh0wgD+O49Nngop6vHkmojybuuFlDUTNolzLukY++gqj6y48q887:6pZODO4LIsYbF0NKzLuF+Y6yjqF

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.atelierzolotas.gr
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    alibaba.com

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.atelierzolotas.gr
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    alibaba.com

Targets

    • Target

      84e89e218dd82b2242aef5d3edc0032a82b3c63dd05d15de17634bf1a631bd07

    • Size

      340KB

    • MD5

      c9dceefdbb1e81aabccc374cd4d4569f

    • SHA1

      d14d0e12040b4f164929426fa1b9c4b57bcd41e4

    • SHA256

      84e89e218dd82b2242aef5d3edc0032a82b3c63dd05d15de17634bf1a631bd07

    • SHA512

      adf87ae5821dc2c39460da738088fc9d6120b4abc38d2450a98b50d09e281bbf94bb35dba3d640a773baa865180a223101eee96493a48f92d415948af25e4090

    • SSDEEP

      6144:6EQZOh0wgD+O49Nngop6vHkmojybuuFlDUTNolzLukY++gqj6y48q887:6pZODO4LIsYbF0NKzLuF+Y6yjqF

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks