General

  • Target

    8c8f6c263d24354338e5d2d50d671a6e529d902be66962dab85932a326477e75.exe

  • Size

    1019KB

  • Sample

    240523-b5kvyahb2x

  • MD5

    ca82319fef771a184d1f98750e5bbb21

  • SHA1

    11893474d3fd90f57cde4f16bfc153b4448d1363

  • SHA256

    8c8f6c263d24354338e5d2d50d671a6e529d902be66962dab85932a326477e75

  • SHA512

    f84517ddb447def1f621a468e442cf5ffd4fdff90a2df35f88df059bfddbd0d4cf336e94b8af5e2cd2ce79cc6c372e20171931deb3af5fdf15f3092e3b7dcd3c

  • SSDEEP

    24576:NAHnh+eWsN3skA4RV1Hom2KXMmHazXBHMfJ5:sh+ZkldoPK8YazXBHA

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.midhcodistribuciones.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ,A7}+JV4KExQ

Targets

    • Target

      8c8f6c263d24354338e5d2d50d671a6e529d902be66962dab85932a326477e75.exe

    • Size

      1019KB

    • MD5

      ca82319fef771a184d1f98750e5bbb21

    • SHA1

      11893474d3fd90f57cde4f16bfc153b4448d1363

    • SHA256

      8c8f6c263d24354338e5d2d50d671a6e529d902be66962dab85932a326477e75

    • SHA512

      f84517ddb447def1f621a468e442cf5ffd4fdff90a2df35f88df059bfddbd0d4cf336e94b8af5e2cd2ce79cc6c372e20171931deb3af5fdf15f3092e3b7dcd3c

    • SSDEEP

      24576:NAHnh+eWsN3skA4RV1Hom2KXMmHazXBHMfJ5:sh+ZkldoPK8YazXBHA

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks