General

  • Target

    0b04c0f6f1049cccf44f646a51b831684179dde13f7de6c24020fffd653ec90a

  • Size

    85KB

  • Sample

    240511-bjqjasfc45

  • MD5

    0a95eb4fe0f14eeb018e0f9488261092

  • SHA1

    2a36232c5c469995576bf4cd944d4e0651661a65

  • SHA256

    0b04c0f6f1049cccf44f646a51b831684179dde13f7de6c24020fffd653ec90a

  • SHA512

    e1d4bda32e7eadc56d2edaf9908a9950b4549bdb67181b94e03a31adf5ce02004d6e15b17a0fef371fe63419c6c14c46c45698197b558473da07aeb49fb976f5

  • SSDEEP

    1536:5EghNQcNcM+8HF2jUZMOdSJcKOT3UMM1Fe8t8fCXRzGJYPnPEAcif1P5RzhRPSU4:5VI8HEjUZMOdSJcVTKGY86c2ntcif1PO

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.folder.ro
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    R2r76%(3v^H0

Targets

    • Target

      0b04c0f6f1049cccf44f646a51b831684179dde13f7de6c24020fffd653ec90a

    • Size

      85KB

    • MD5

      0a95eb4fe0f14eeb018e0f9488261092

    • SHA1

      2a36232c5c469995576bf4cd944d4e0651661a65

    • SHA256

      0b04c0f6f1049cccf44f646a51b831684179dde13f7de6c24020fffd653ec90a

    • SHA512

      e1d4bda32e7eadc56d2edaf9908a9950b4549bdb67181b94e03a31adf5ce02004d6e15b17a0fef371fe63419c6c14c46c45698197b558473da07aeb49fb976f5

    • SSDEEP

      1536:5EghNQcNcM+8HF2jUZMOdSJcKOT3UMM1Fe8t8fCXRzGJYPnPEAcif1P5RzhRPSU4:5VI8HEjUZMOdSJcVTKGY86c2ntcif1PO

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks