General

  • Target

    20220829_PEDIDO_22073M_PROTECO_LIMPIEZA_Y_KITS.exe

  • Size

    370KB

  • Sample

    240515-lwzb3sbh9x

  • MD5

    c47b0b123860ec7c7875dc27cd8909ac

  • SHA1

    69dfba63167499227db3d0f3ae0bea3d8f18253a

  • SHA256

    599973c508c9341b937561cbf8e9fe0976e438a94bf3b7714f0bca4c3d671c3b

  • SHA512

    07ea0b81fcae582e20a2960652eac7f48a48f717085f523744bc3813c5bcf9ca5415672139ffa35b118e7adcff9a98e948a088430e7a1c573045e23bde1c7938

  • SSDEEP

    6144:LspNjlspr76260rR2nw4r1wuY6gyVWLf7aM3t4SPRtfVWnguye/LF3UXAygd:LcqjpRkap+AzN3t4SPRtfVWguye/Ll4Y

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      20220829_PEDIDO_22073M_PROTECO_LIMPIEZA_Y_KITS.exe

    • Size

      370KB

    • MD5

      c47b0b123860ec7c7875dc27cd8909ac

    • SHA1

      69dfba63167499227db3d0f3ae0bea3d8f18253a

    • SHA256

      599973c508c9341b937561cbf8e9fe0976e438a94bf3b7714f0bca4c3d671c3b

    • SHA512

      07ea0b81fcae582e20a2960652eac7f48a48f717085f523744bc3813c5bcf9ca5415672139ffa35b118e7adcff9a98e948a088430e7a1c573045e23bde1c7938

    • SSDEEP

      6144:LspNjlspr76260rR2nw4r1wuY6gyVWLf7aM3t4SPRtfVWnguye/LF3UXAygd:LcqjpRkap+AzN3t4SPRtfVWguye/Ll4Y

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      17ed1c86bd67e78ade4712be48a7d2bd

    • SHA1

      1cc9fe86d6d6030b4dae45ecddce5907991c01a0

    • SHA256

      bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

    • SHA512

      0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

    • SSDEEP

      192:eY24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol+Sl:E8QIl975eXqlWBrz7YLOl+

    Score
    3/10
    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      b55f7f1b17c39018910c23108f929082

    • SHA1

      1601f1cc0d0d6bcf35799b7cd15550cd01556172

    • SHA256

      c4c6fe032f3cd8b31528d7b99661f85ee22cb78746aee98ec568431d4f5043f7

    • SHA512

      d652f2b09396ef7b9181996c4700b25840ceaa6c1c10080a55ce3db4c25d8d85f00a21e747f9d14a3374be4cdd4ea829a18d7de9b27b13b5e304447f3e9268fa

    • SSDEEP

      96:L7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN538:RbGgGPzxeX6D8ZyGgmkN

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks