General

  • Target

    99200032052824.bat.exe

  • Size

    531KB

  • Sample

    240527-hwg61sbh21

  • MD5

    085de7ac75bbd791c1b1f979fe8ff78c

  • SHA1

    f33f25a99dbf0f7b9c2ad2bc886e7748cb5d888f

  • SHA256

    f76bdeb70f9927c49aa87d92d92eb93d05317a3bde63da7a78a11033b29b41ab

  • SHA512

    afb829b774d73e4195702ff0e604626e485c2fc1b1bba93218e487947c75b2fe895ce1078f314746b256e591bbba545736be4722e569546d84a0edef7c259d4f

  • SSDEEP

    6144:i7eSVq22TITpPumUWUdtmYQ+V3Wm8WABXQsHSx4J5t9oDTsaPhygOdtUwj0Tnmu9:karCpPHibxB3mlaPhygoRu6Xo

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://mail.hearing-vision.com
  • Port:
    21
  • Username:
    code@hearing-vision.com
  • Password:
    LILKOOLL14!

Targets

    • Target

      99200032052824.bat.exe

    • Size

      531KB

    • MD5

      085de7ac75bbd791c1b1f979fe8ff78c

    • SHA1

      f33f25a99dbf0f7b9c2ad2bc886e7748cb5d888f

    • SHA256

      f76bdeb70f9927c49aa87d92d92eb93d05317a3bde63da7a78a11033b29b41ab

    • SHA512

      afb829b774d73e4195702ff0e604626e485c2fc1b1bba93218e487947c75b2fe895ce1078f314746b256e591bbba545736be4722e569546d84a0edef7c259d4f

    • SSDEEP

      6144:i7eSVq22TITpPumUWUdtmYQ+V3Wm8WABXQsHSx4J5t9oDTsaPhygOdtUwj0Tnmu9:karCpPHibxB3mlaPhygoRu6Xo

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      fbe295e5a1acfbd0a6271898f885fe6a

    • SHA1

      d6d205922e61635472efb13c2bb92c9ac6cb96da

    • SHA256

      a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

    • SHA512

      2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

    • SSDEEP

      192:yPtkiQJr7V9r3Ftr87NfwXQ6whlgi62V7i77blbTc4DI:N7Vxr8IgLgi3sVc4

    Score
    3/10

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

4
T1005

Tasks