General

  • Target

    jpgcamscanner_20240521_0072345_JPEG.bat.exe

  • Size

    370KB

  • Sample

    240522-wn6rasbc2w

  • MD5

    18776562551c3adcdc9f49c013772fbd

  • SHA1

    ee124b7cd0296b4e524454ab12059b8be60bc002

  • SHA256

    05df6f3430171cb7db9fa5f6782b8f67b14079b6e1dffbb013c33ca91b1ad5d3

  • SHA512

    c16b5c1c7822af0bee4d5f9707e00a4513e00b0925844fa3c8ba8afbaf7172d2b185dfaf8b1bc1fdce00c6a44d62d34d5bf611c0a2219de0a030ea2f64767364

  • SSDEEP

    6144:MDGIRuoQiOd9kyzCiY1vJ/BnA+XCzW8w3hRTMiZ4rbcevq:zItQiOdCyzItA+XLRQiZWC

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.instantprint.ro
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    playmen123#@

Targets

    • Target

      jpgcamscanner_20240521_0072345_JPEG.bat.exe

    • Size

      370KB

    • MD5

      18776562551c3adcdc9f49c013772fbd

    • SHA1

      ee124b7cd0296b4e524454ab12059b8be60bc002

    • SHA256

      05df6f3430171cb7db9fa5f6782b8f67b14079b6e1dffbb013c33ca91b1ad5d3

    • SHA512

      c16b5c1c7822af0bee4d5f9707e00a4513e00b0925844fa3c8ba8afbaf7172d2b185dfaf8b1bc1fdce00c6a44d62d34d5bf611c0a2219de0a030ea2f64767364

    • SSDEEP

      6144:MDGIRuoQiOd9kyzCiY1vJ/BnA+XCzW8w3hRTMiZ4rbcevq:zItQiOdCyzItA+XLRQiZWC

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/BgImage.dll

    • Size

      7KB

    • MD5

      143c1b18ccd1ab2ceed02caf0e06ef8a

    • SHA1

      b59d780e0a85f816b41aa657d4a643d77bd20a99

    • SHA256

      8920afae5d9c06f6ba1f254a1e32ac2acfb0fdb11ab2158cfe880a191045e3d7

    • SHA512

      91bd09610679224a7774044b16054721567385d3faa241e72b51f27ef660870f7282e887016df492d5b3ab3b6d9c130e036258c4f27d5ca4cc3a12b76ff71b39

    • SSDEEP

      96:8eS0AKTIfv7QCUsthvNL85s4lk38Eb3CDfvEh8uLzqk5nLiEQjJ3KxkP:t8BfjbUA/85q3wEh8uLmcLpmP

    Score
    1/10
    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      b0c77267f13b2f87c084fd86ef51ccfc

    • SHA1

      f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

    • SHA256

      a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

    • SHA512

      f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

    • SSDEEP

      192:4PtkiQJr7jHYT87RfwXQ6YSYtOuVDi7IsFW14Ll8CO:H78TQIgGCDp14LGC

    Score
    3/10
    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      eac1c3707970fe7c71b2d760c34763fa

    • SHA1

      f275e659ad7798994361f6ccb1481050aba30ff8

    • SHA256

      062c75ad650548750564ffd7aef8cd553773b5c26cae7f25a5749b13165194e3

    • SHA512

      3415bd555cf47407c0ae62be0dbcba7173d2b33a371bf083ce908fc901811adb888b7787d11eb9d99a1a739cbd9d1c66e565db6cd678bdadaf753fbda14ffd09

    • SSDEEP

      96:oXHqZ4zC5RH3cXX1LlYlRowycxM2DjDf3GEst+Nt+jvDYx4AqndYHnxss:oXHq+CP3uKrpyREs06YxcdGn

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks