General

  • Target

    43680d15253c03c6df241c645523de164cc2ff21270b241f6e21cbde83b07015

  • Size

    12KB

  • Sample

    240427-b1tx2sgc99

  • MD5

    3e09dac22349c76c2589dd38c7c3c6c3

  • SHA1

    74852521e1b3ccc8150d30fa53f1dfd3dca97849

  • SHA256

    43680d15253c03c6df241c645523de164cc2ff21270b241f6e21cbde83b07015

  • SHA512

    04b225dfa304554189c90e55a56051e1f6d9588acf2da3c4b0160c13ceb2f8b4edd73b0c0fbaf671e64decadd09fbc4441d09bca11e44f90661f58a7acb6c3cf

  • SSDEEP

    384:+J9BHkNV436k6UqgoAu7d+mU5G6ix3nMR7H+bCRJOVpPgRcVNeb9Skk0YA7J:xV+/zqga7gP5Glx3nMRq2OVZgQkk0YK

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.controlfire.com.mx
  • Port:
    587
  • Username:
    apama@controlfire.com.mx
  • Password:
    [;E4nNUMlscW
  • Email To:
    apama_reports@controlfire.com.mx

Targets

    • Target

      43680d15253c03c6df241c645523de164cc2ff21270b241f6e21cbde83b07015

    • Size

      12KB

    • MD5

      3e09dac22349c76c2589dd38c7c3c6c3

    • SHA1

      74852521e1b3ccc8150d30fa53f1dfd3dca97849

    • SHA256

      43680d15253c03c6df241c645523de164cc2ff21270b241f6e21cbde83b07015

    • SHA512

      04b225dfa304554189c90e55a56051e1f6d9588acf2da3c4b0160c13ceb2f8b4edd73b0c0fbaf671e64decadd09fbc4441d09bca11e44f90661f58a7acb6c3cf

    • SSDEEP

      384:+J9BHkNV436k6UqgoAu7d+mU5G6ix3nMR7H+bCRJOVpPgRcVNeb9Skk0YA7J:xV+/zqga7gP5Glx3nMRq2OVZgQkk0YK

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks