General

  • Target

    b0ae2b7437d3c579334053db2da6e1a3b4e0435fcdcc77bc11bcf58c6289a859.exe

  • Size

    706KB

  • Sample

    240518-le1htade31

  • MD5

    d9307c948c324d081e572845ffb7cabc

  • SHA1

    1669ced0e46deaaffb404725fa3162c540d6f086

  • SHA256

    b0ae2b7437d3c579334053db2da6e1a3b4e0435fcdcc77bc11bcf58c6289a859

  • SHA512

    15da0817042a81737a10c7ffe930b2b699aa4d21c46d2e594024ef34c4f2473cf1d455eb40c31dabc8b02bea1f5555a3593c81aff485639cffa5ed2d6653db47

  • SSDEEP

    12288:xM2iN3skSKSIwFl9e4FgHFyemxZipNU9jhDDLaZlwRyUqg8M1G3KUr/p:xM19JSNIe9e8g/sZiM9jx8iyHg8gGnrh

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.jeepcommerce.rs
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Cgn+Udqt0F%y

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.jeepcommerce.rs
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Cgn+Udqt0F%y

Targets

    • Target

      b0ae2b7437d3c579334053db2da6e1a3b4e0435fcdcc77bc11bcf58c6289a859.exe

    • Size

      706KB

    • MD5

      d9307c948c324d081e572845ffb7cabc

    • SHA1

      1669ced0e46deaaffb404725fa3162c540d6f086

    • SHA256

      b0ae2b7437d3c579334053db2da6e1a3b4e0435fcdcc77bc11bcf58c6289a859

    • SHA512

      15da0817042a81737a10c7ffe930b2b699aa4d21c46d2e594024ef34c4f2473cf1d455eb40c31dabc8b02bea1f5555a3593c81aff485639cffa5ed2d6653db47

    • SSDEEP

      12288:xM2iN3skSKSIwFl9e4FgHFyemxZipNU9jhDDLaZlwRyUqg8M1G3KUr/p:xM19JSNIe9e8g/sZiM9jx8iyHg8gGnrh

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks