General

  • Target

    8da6aadc3419b96a2b34caf60ef2789cbae62ab30e9c0e9ee310732875135160

  • Size

    13KB

  • Sample

    240521-b5rngsee8y

  • MD5

    abd7575a75e2c4251a332f55d7066942

  • SHA1

    40a4defa872ffb1a72f9e920a7e244f8c098adb0

  • SHA256

    8da6aadc3419b96a2b34caf60ef2789cbae62ab30e9c0e9ee310732875135160

  • SHA512

    f343fb67bc2f74668b1e1aefb70aed7888edc58430f2d3d80a763d194b7319d2f93805d655c7fdebb5249bfaa248d0cd8cd5c51fe7c36fe6477406b384c68b86

  • SSDEEP

    384:myO014q2I5xomxJY+DVOkOavf5PcNof45PcNofHIOIp38uGWdvxjzQd5d+mY5f8d:nVNMy1NHegfIGyG331hT1QViV0

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.lampadari.gr
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    P8P[uVeJU=vh

Targets

    • Target

      8da6aadc3419b96a2b34caf60ef2789cbae62ab30e9c0e9ee310732875135160

    • Size

      13KB

    • MD5

      abd7575a75e2c4251a332f55d7066942

    • SHA1

      40a4defa872ffb1a72f9e920a7e244f8c098adb0

    • SHA256

      8da6aadc3419b96a2b34caf60ef2789cbae62ab30e9c0e9ee310732875135160

    • SHA512

      f343fb67bc2f74668b1e1aefb70aed7888edc58430f2d3d80a763d194b7319d2f93805d655c7fdebb5249bfaa248d0cd8cd5c51fe7c36fe6477406b384c68b86

    • SSDEEP

      384:myO014q2I5xomxJY+DVOkOavf5PcNof45PcNofHIOIp38uGWdvxjzQd5d+mY5f8d:nVNMy1NHegfIGyG331hT1QViV0

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks