General

  • Target

    21052024143521052024QJAS2024P01080Q20240521.IMG

  • Size

    1.2MB

  • Sample

    240522-w3pfkabh7y

  • MD5

    ee46f4cb0faacef486ba752add49799e

  • SHA1

    2507c14f79b35cfc5d2187a797be8745752dda81

  • SHA256

    0b4a3dd50fed1972cb41fa18b79d8a51ae8b15ae8d31e4facd926a86bfa6926f

  • SHA512

    3f71cceb1be3890800859c99163ca6456cb8c40f5289b2d59c251022922f05d3f495a06f6d2fa0919ddc693f1cf9a1ea79917ce47199944b5666f661bfb622bd

  • SSDEEP

    6144:0DGIRuoQi1NgwFSaUVf9GBVoqzai9ghRTMiZ4rbcev:rItQi1awNUaBVJza2QRQiZW

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.instantprint.ro
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    playmen123#@

Targets

    • Target

      QJAS2024P01-080 Q20240521.bat

    • Size

      365KB

    • MD5

      c384da3e37c99bfc9faebad32ecfb668

    • SHA1

      b852f9fa14ac453cee0d75498254eab0cf6cc35a

    • SHA256

      55ced74de69fdb2659600fae77f6177b2c9d973c0da60060546010e71309d92e

    • SHA512

      f0f3a7f37f21e26e5969fb7e5830e12061cf2659e40a0bc6e8d1d9642de65b6882f24a8ede55afa793fcc8ba741897bfacba0aab3fe0288953e116263d422ec5

    • SSDEEP

      6144:MDGIRuoQi1NgwFSaUVf9GBVoqzai9ghRTMiZ4rbcevR:zItQi1awNUaBVJza2QRQiZWp

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/BgImage.dll

    • Size

      7KB

    • MD5

      143c1b18ccd1ab2ceed02caf0e06ef8a

    • SHA1

      b59d780e0a85f816b41aa657d4a643d77bd20a99

    • SHA256

      8920afae5d9c06f6ba1f254a1e32ac2acfb0fdb11ab2158cfe880a191045e3d7

    • SHA512

      91bd09610679224a7774044b16054721567385d3faa241e72b51f27ef660870f7282e887016df492d5b3ab3b6d9c130e036258c4f27d5ca4cc3a12b76ff71b39

    • SSDEEP

      96:8eS0AKTIfv7QCUsthvNL85s4lk38Eb3CDfvEh8uLzqk5nLiEQjJ3KxkP:t8BfjbUA/85q3wEh8uLmcLpmP

    Score
    1/10
    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      b0c77267f13b2f87c084fd86ef51ccfc

    • SHA1

      f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

    • SHA256

      a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

    • SHA512

      f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

    • SSDEEP

      192:4PtkiQJr7jHYT87RfwXQ6YSYtOuVDi7IsFW14Ll8CO:H78TQIgGCDp14LGC

    Score
    3/10
    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      eac1c3707970fe7c71b2d760c34763fa

    • SHA1

      f275e659ad7798994361f6ccb1481050aba30ff8

    • SHA256

      062c75ad650548750564ffd7aef8cd553773b5c26cae7f25a5749b13165194e3

    • SHA512

      3415bd555cf47407c0ae62be0dbcba7173d2b33a371bf083ce908fc901811adb888b7787d11eb9d99a1a739cbd9d1c66e565db6cd678bdadaf753fbda14ffd09

    • SSDEEP

      96:oXHqZ4zC5RH3cXX1LlYlRowycxM2DjDf3GEst+Nt+jvDYx4AqndYHnxss:oXHq+CP3uKrpyREs06YxcdGn

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks