General

  • Target

    ΠΡΟΣΦΟΡΑ ΠΑΝΕΛ X37 4-3-2024.pdf.uue

  • Size

    513KB

  • Sample

    240312-j65kqscd9s

  • MD5

    c2a88caf78221d1341ef965b3197528f

  • SHA1

    c67f4497268b58efe718421071ce8788cf313d1e

  • SHA256

    5871e1613e22726e5efa542c429360572c43fe65ad87db94373e599b21181177

  • SHA512

    b2545e4ad67a46650d9d357b4fe7a692b9940fa9ca99a65b158f3a4c9574dca506f2f034699eafbfa0c47faeb0ae999dec4b7c353a4ee15c4a433d04da195e6c

  • SSDEEP

    12288:JRDiK+9v/+5OTW5PTzFj+5lsnDJeXlspw8Q/k8cfsniKqi18e:iK75AWFzFqM0lspw8Q/kTKh1J

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.solucionesmexico.mx
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    dGG^ZYIxX5!B

Targets

    • Target

      ΠΡΟΣΦΟΡΑ ΠΑΝΕΛ X37 4-3-2024.pdf.uue

    • Size

      513KB

    • MD5

      c2a88caf78221d1341ef965b3197528f

    • SHA1

      c67f4497268b58efe718421071ce8788cf313d1e

    • SHA256

      5871e1613e22726e5efa542c429360572c43fe65ad87db94373e599b21181177

    • SHA512

      b2545e4ad67a46650d9d357b4fe7a692b9940fa9ca99a65b158f3a4c9574dca506f2f034699eafbfa0c47faeb0ae999dec4b7c353a4ee15c4a433d04da195e6c

    • SSDEEP

      12288:JRDiK+9v/+5OTW5PTzFj+5lsnDJeXlspw8Q/k8cfsniKqi18e:iK75AWFzFqM0lspw8Q/kTKh1J

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    • Target

      ΠΡΟΣΦΟΡΑ ΠΑΝΕΛ X37 4-3-2024.pdf.exe

    • Size

      538KB

    • MD5

      4a131474e1604362ea66aa8cb2cfa2d9

    • SHA1

      76d840d9a217d576632e46bd180ea24a90ad00c9

    • SHA256

      ec62e133dd492c0e3a590316c54a0a20bfce592744c99cafdf430718c62bab02

    • SHA512

      7a323c6a3c4b8ee6ff17409bb60a9012cf48f5403c85e6297c3e8d132521718b2d841eb6c7d2bce807ec24b90709a218fc398144ea04834a7c3b4e7dc2a1c249

    • SSDEEP

      12288:TYV6MorX7qzuC3QHO9FQVHPF51jgcxaVu+hyrwctIJqTPL:QBXu9HGaVHGIeqTz

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    • Target

      out.upx

    • Size

      1009KB

    • MD5

      81cdfd745e1a75b778413c3a3544c2a4

    • SHA1

      457c28c0d774cc84ed358b4d660a898de5793d12

    • SHA256

      197edfbbb2b812fde5fada0747d7782ed91ce80a3c8848c5e8e76524bcd37acf

    • SHA512

      1b0f8307eb3c66792a5871705912f137390e3062a4e014107a58972ed13694508a0fed81c85a451a45bb62d5241e6a7bb00d326aef3afdc3da529cb7e11d3ab1

    • SSDEEP

      24576:WAHnh+eWsN3skA4RV1Hom2KXDmyIeqTz:xh+ZkldoPKz1IJ

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks