General

  • Target

    SCAN.AWB.img

  • Size

    1.2MB

  • Sample

    240520-pay1zaad52

  • MD5

    26913acdbbcc1b40d947d0cf8142cfb7

  • SHA1

    1bf254ba735f08665f68f5614ed80c06effea582

  • SHA256

    f611a512d65053f68baee97be8cbda5e0539fe061032466a1937c9a1659c2791

  • SHA512

    28290754f6245ba5c5b380064767aa6ad494b67210b8cee24b247741e9da604522454792e1842772ba76b57de0cdc27d768199492a2d458323d6acc36effe123

  • SSDEEP

    12288:PeCLyNx2qdIzjxxtdH7JZOqBhg5F0y/7dncz+kOILaw/mD+Ksj:PebNwqaz9jB7JZTEFT5mL41

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.scootero.cl
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Dangote1235$

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      SCAN.AWB.exe

    • Size

      570KB

    • MD5

      acf130a10b41446bb89bf89e630c7fa3

    • SHA1

      93ab6a6eb407f475f3c5eea4fb2426339f6e1619

    • SHA256

      7ea4b0492d4bd06af8088ed24374001cabe43bac4a8477c9d4c16428ebe7d511

    • SHA512

      7336f5cf39695dc457f90b8056d3fa19317725427f2f7efdcc826d9dd93bb287d8188ecd3a771f7a92d1cf8a9c5aafb9ffbc71698d6e48ba01b87e6625f85965

    • SSDEEP

      12288:9eCLyNx2qdIzjxxtdH7JZOqBhg5F0y/7dncz+kOILaw/mD+Ksjo:9ebNwqaz9jB7JZTEFT5mL41T

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      8b3830b9dbf87f84ddd3b26645fed3a0

    • SHA1

      223bef1f19e644a610a0877d01eadc9e28299509

    • SHA256

      f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

    • SHA512

      d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

    • SSDEEP

      192:ex24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlESlS:h8QIl972eXqlWBFSt273YOlEz

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks