General

  • Target

    RFQ.exe

  • Size

    228KB

  • Sample

    240408-nc45bsbb7s

  • MD5

    10d4e066efcd44d9747d5d2cbe8995ce

  • SHA1

    d05fcb43118ab2ab98221e668d5cc5a2dd869dc4

  • SHA256

    e238672df7f0d8a1440fcaeddf6051cddc05866e59e4d162cc416b6cc3c9e6ce

  • SHA512

    06ff4605affa86051f031bc930ea3c6c8217cd4424aad0fb3277aa0a919738e5e5343a9eb80f05a01957a3dbd051338f440ab06a03976ada4a8a3fc0639ff46a

  • SSDEEP

    3072:QJl7eq37BRv4SlPZJDJVuBMw/GAhdlaxxDcYjIMg3U84Mwwvf8TZfehnIuNy7GmL:QJZXASdSS/AjlaAYfgE8TH8TZfY5

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://80.92.205.47
  • Port:
    21
  • Username:
    delizzasuppl
  • Password:
    99EK7bvTZr4zBnwW

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    80.92.205.47
  • Port:
    21
  • Username:
    delizzasuppl
  • Password:
    99EK7bvTZr4zBnwW

Targets

    • Target

      RFQ.exe

    • Size

      228KB

    • MD5

      10d4e066efcd44d9747d5d2cbe8995ce

    • SHA1

      d05fcb43118ab2ab98221e668d5cc5a2dd869dc4

    • SHA256

      e238672df7f0d8a1440fcaeddf6051cddc05866e59e4d162cc416b6cc3c9e6ce

    • SHA512

      06ff4605affa86051f031bc930ea3c6c8217cd4424aad0fb3277aa0a919738e5e5343a9eb80f05a01957a3dbd051338f440ab06a03976ada4a8a3fc0639ff46a

    • SSDEEP

      3072:QJl7eq37BRv4SlPZJDJVuBMw/GAhdlaxxDcYjIMg3U84Mwwvf8TZfehnIuNy7GmL:QJZXASdSS/AjlaAYfgE8TH8TZfY5

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks