General

  • Target

    1aeb7c1a8691f0453f5894ace64ae38018394a2976624b3b67a6b8a850eb7448.exe

  • Size

    715KB

  • Sample

    240604-bfc4ssfg2w

  • MD5

    69b6f85ba5668f5ffa89516e377c5c29

  • SHA1

    940ccb7bd803bd4aa490cea5602a4e7df47219a1

  • SHA256

    1aeb7c1a8691f0453f5894ace64ae38018394a2976624b3b67a6b8a850eb7448

  • SHA512

    b84fff3fb2e9fee8b8096d468fd2f1183e138d2e148a7e9de4ebe01a4b09dfc4c64c5a9f2e01112d723599cbc7f1edf9283fb710b5e41f1c7c73dca0885b2d15

  • SSDEEP

    12288:0mXtKt/rFfaD8bmd3nw3bs2bqi3WPFbtTkALwgQXrA98il/aa9KbiSTv399gkR:f9KN5iD8bL3bdqPbBpLwrA9zlCvGaH

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.ultraflex.com.mx
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Jgj8-p4Z]a1b

Targets

    • Target

      1aeb7c1a8691f0453f5894ace64ae38018394a2976624b3b67a6b8a850eb7448.exe

    • Size

      715KB

    • MD5

      69b6f85ba5668f5ffa89516e377c5c29

    • SHA1

      940ccb7bd803bd4aa490cea5602a4e7df47219a1

    • SHA256

      1aeb7c1a8691f0453f5894ace64ae38018394a2976624b3b67a6b8a850eb7448

    • SHA512

      b84fff3fb2e9fee8b8096d468fd2f1183e138d2e148a7e9de4ebe01a4b09dfc4c64c5a9f2e01112d723599cbc7f1edf9283fb710b5e41f1c7c73dca0885b2d15

    • SSDEEP

      12288:0mXtKt/rFfaD8bmd3nw3bs2bqi3WPFbtTkALwgQXrA98il/aa9KbiSTv399gkR:f9KN5iD8bL3bdqPbBpLwrA9zlCvGaH

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks