Resubmissions

30/05/2024, 14:03

240530-rcyt4acb63 10

30/05/2024, 12:13

240530-pd3tbshf33 10

General

  • Target

    Conferma di pagamento 003949900.img

  • Size

    1.2MB

  • Sample

    240530-rcyt4acb63

  • MD5

    e3d9f9ca702eaf1dda45737e3d6d3657

  • SHA1

    99f1ddd6fe6c752a42a785b73f5083adaeaf359f

  • SHA256

    9b592f561c9b16240b9d95a1606cef69476296ac01cf8c52b7f175bc0fe65b99

  • SHA512

    c2897b5f2b6fdbb58377dae911d64215c1670a4f6a6af08ee808f0352ec2a8a25c16a631a7b64f7dd74ff5d75d8b12a6ae05628c8e3d0d7ccd35cd5d4e8ec8d6

  • SSDEEP

    6144:h//I2y3VKIo8oJwO9qJCVTaTb7XqjfTundGKNPZ2QSKkdKwYklIPCBzrlFLqktmD:dvdsolqcQb7wfTuAuPMplp3IXj

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.atisceramiche.it
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    boygirl123456

Targets

    • Target

      Conferma di pagamento 003949900.img

    • Size

      1.2MB

    • MD5

      e3d9f9ca702eaf1dda45737e3d6d3657

    • SHA1

      99f1ddd6fe6c752a42a785b73f5083adaeaf359f

    • SHA256

      9b592f561c9b16240b9d95a1606cef69476296ac01cf8c52b7f175bc0fe65b99

    • SHA512

      c2897b5f2b6fdbb58377dae911d64215c1670a4f6a6af08ee808f0352ec2a8a25c16a631a7b64f7dd74ff5d75d8b12a6ae05628c8e3d0d7ccd35cd5d4e8ec8d6

    • SSDEEP

      6144:h//I2y3VKIo8oJwO9qJCVTaTb7XqjfTundGKNPZ2QSKkdKwYklIPCBzrlFLqktmD:dvdsolqcQb7wfTuAuPMplp3IXj

    Score
    6/10
    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      Conferma di pagamento 003949900.bat

    • Size

      480KB

    • MD5

      1b27df99b7846825039b462c81398ced

    • SHA1

      2648379db4f545e31f7dcde499177d7fe82e3c2c

    • SHA256

      02c8ba535f477255df334a19882cc219f079ce64ca1d5e0deec810fd06e48981

    • SHA512

      6487c40cae227a85fe043efa3aa90bad7780effdffe56d45d38287f02d67d102f932feb9ce25f8e883bad13e36f2a3c9bbb5738b0cb02b9861bf85fa08c099a4

    • SSDEEP

      6144:u//I2y3VKIo8oJwO9qJCVTaTb7XqjfTundGKNPZ2QSKkdKwYklIPCBzrlFLqktmu:0vdsolqcQb7wfTuAuPMplp3IXjq

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      ee260c45e97b62a5e42f17460d406068

    • SHA1

      df35f6300a03c4d3d3bd69752574426296b78695

    • SHA256

      e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27

    • SHA512

      a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

    • SSDEEP

      192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks