General

  • Target

    e47140a389037bf3c66528b2a762dd359b3d2da361f324819b18ca595d2f178e.exe

  • Size

    1.0MB

  • Sample

    240519-cydcysdg7v

  • MD5

    dc8a137a9917260473120aa235f69f5f

  • SHA1

    dd74caccc6c2ab38da7f4171d1a64ae506f185b8

  • SHA256

    e47140a389037bf3c66528b2a762dd359b3d2da361f324819b18ca595d2f178e

  • SHA512

    de49ba1a489a488fa15262869f49944a3a46f1d2b2a1fc1e55b7e9914b92d892b5e22bc0230a7e8b7dd072f11753d7d683c4d49cb993d85eff23a92acdc61c19

  • SSDEEP

    12288:MUfbdTxwbed/QIA8EmCCZPyXNDxaMejIQv7iglCqRoeuIIymiR8gZMRnObwZNtV:MUfhTFQBeCHND/j87j8oIhiR8gv69

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.tekserendustriyel.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    chuzy2024@

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.tekserendustriyel.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    chuzy2024@

Targets

    • Target

      e47140a389037bf3c66528b2a762dd359b3d2da361f324819b18ca595d2f178e.exe

    • Size

      1.0MB

    • MD5

      dc8a137a9917260473120aa235f69f5f

    • SHA1

      dd74caccc6c2ab38da7f4171d1a64ae506f185b8

    • SHA256

      e47140a389037bf3c66528b2a762dd359b3d2da361f324819b18ca595d2f178e

    • SHA512

      de49ba1a489a488fa15262869f49944a3a46f1d2b2a1fc1e55b7e9914b92d892b5e22bc0230a7e8b7dd072f11753d7d683c4d49cb993d85eff23a92acdc61c19

    • SSDEEP

      12288:MUfbdTxwbed/QIA8EmCCZPyXNDxaMejIQv7iglCqRoeuIIymiR8gZMRnObwZNtV:MUfhTFQBeCHND/j87j8oIhiR8gv69

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables packed with or use KoiVM

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks