General

  • Target

    4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284

  • Size

    915KB

  • Sample

    240604-bwtrgshc69

  • MD5

    830b5a3666861df17fa06afe6bb57170

  • SHA1

    811442711733dde2cf3f711dcdae0cc38b9e6008

  • SHA256

    4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284

  • SHA512

    7ea8c880d63efdcedec6c1aa1a182d7c2dd5e0ac670c1ec6312dad221509212e9be2b198870fbfe4f6f700a7fdaf1c1dfd95df70ab20448d292a5aa74a239f87

  • SSDEEP

    12288:nhX0D9CQStfAheg7w2PUXWkdzyeNaoURCReJKv0+OOt8PYuTBQ5JNHrU32bWrM9D:d0DUY7TsfdHaoUR818CyPY34HA9gW

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.rusticpensiune.ro
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    99AM}+NZ&CCq!4Vq)9!(zXx01.lQ!~nS.fBnY,4Z~fjHnGo*B3Gd;B{Q1!%-Xw--%vn^0%nt

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.rusticpensiune.ro
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    99AM}+NZ&CCq!4Vq)9!(zXx01.lQ!~nS.fBnY,4Z~fjHnGo*B3Gd;B{Q1!%-Xw--%vn^0%nt

Targets

    • Target

      4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284

    • Size

      915KB

    • MD5

      830b5a3666861df17fa06afe6bb57170

    • SHA1

      811442711733dde2cf3f711dcdae0cc38b9e6008

    • SHA256

      4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284

    • SHA512

      7ea8c880d63efdcedec6c1aa1a182d7c2dd5e0ac670c1ec6312dad221509212e9be2b198870fbfe4f6f700a7fdaf1c1dfd95df70ab20448d292a5aa74a239f87

    • SSDEEP

      12288:nhX0D9CQStfAheg7w2PUXWkdzyeNaoURCReJKv0+OOt8PYuTBQ5JNHrU32bWrM9D:d0DUY7TsfdHaoUR818CyPY34HA9gW

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks