General

  • Target

    16210869862.zip

  • Size

    17KB

  • Sample

    240327-xm1z4aaa56

  • MD5

    76bcec4047124ebde7d6fd726437ec4f

  • SHA1

    50181c58d4e7ee49da73b16538c10c49ad47bd57

  • SHA256

    451a0de15470d3acfe3e3d546462ac55676d806336d3452ac1bc7ffe6f47cfd4

  • SHA512

    4b6608bc32fdfc608f5b8ef3f4e5cb4a68388db993801bcda2d7153d6e0f036c82c0d71b184852e50cbcddfef6b39b78c7f98896ad27e1bd15c7caf62fab17f8

  • SSDEEP

    384:xjCDf2oXTXrOW3fzi6GJ22xOeNLKJnsoKlUoRoB1N7pToPuEfnnM4qFWw:xjCDflXfXfzwN2JsTRy1Nm9nnVw

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.tecniseal.es
  • Port:
    587
  • Username:
    esther.lopez@tecniseal.es
  • Password:
    12348*tecniseal
  • Email To:
    officialspace6@gmail.com

Targets

    • Target

      Richiesta di preventivo_RFQ20242703_pdf.vbs

    • Size

      38KB

    • MD5

      883530fd75a356dad534bdb7aa39e947

    • SHA1

      2f7cd81fb69b269273068bc97a012216f67e35d0

    • SHA256

      5212ef58efb4b855a2aaf4bbaf81a4912810982631e2afaf246963fea954fe64

    • SHA512

      53d804000f64091fd407747262d011c5d73d892be9cf137d1466bd4150bebb0851fdc11e6937163e845ec3cb7e6929e10e8601833d20fa75e126dbf1a2f46362

    • SSDEEP

      768:u0ygBLXWAZGc8NnKwiQ6x/dSNQT1AOBG/m:Z3qNnKwKLTBB

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Command and Control

Web Service

1
T1102

Tasks