General

  • Target

    3d79bf5d780b6770babf2f2cba5549a01992d4e77f797292e2f4a3ecd668379c.exe

  • Size

    1.1MB

  • Sample

    240408-bm3ysscd99

  • MD5

    b915133065e8c357f8b37e28015088fe

  • SHA1

    61286d2adea00cab97ade25d5221d7cfc36a580b

  • SHA256

    3d79bf5d780b6770babf2f2cba5549a01992d4e77f797292e2f4a3ecd668379c

  • SHA512

    69e6b492e3b36e55fd64608067d3b7329adb8890fd712e64b845943c5902ef1c983a388bfbfdeff646bc4ddab94c308b26de3b7c04ceea2bed52fc11acf759fc

  • SSDEEP

    24576:WqDEvCTbMWu7rQYlBQcBiT6rprG8aF9sANKM6Vk:WTvC/MTQYxsWR7aFNj6

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.siscop.com.co
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    +5s48Ia2&-(t

Targets

    • Target

      3d79bf5d780b6770babf2f2cba5549a01992d4e77f797292e2f4a3ecd668379c.exe

    • Size

      1.1MB

    • MD5

      b915133065e8c357f8b37e28015088fe

    • SHA1

      61286d2adea00cab97ade25d5221d7cfc36a580b

    • SHA256

      3d79bf5d780b6770babf2f2cba5549a01992d4e77f797292e2f4a3ecd668379c

    • SHA512

      69e6b492e3b36e55fd64608067d3b7329adb8890fd712e64b845943c5902ef1c983a388bfbfdeff646bc4ddab94c308b26de3b7c04ceea2bed52fc11acf759fc

    • SSDEEP

      24576:WqDEvCTbMWu7rQYlBQcBiT6rprG8aF9sANKM6Vk:WTvC/MTQYxsWR7aFNj6

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks