General

  • Target

    fda3b2d17de58bf81860323b1ce53355a8a9de12e1215881c12303b243a0d0e7

  • Size

    1.4MB

  • Sample

    240604-bwwwvage6y

  • MD5

    486384c7110cedd534e11273f81b304b

  • SHA1

    b3809040a8aeef27e18673a7dd83af2925f2ff6f

  • SHA256

    fda3b2d17de58bf81860323b1ce53355a8a9de12e1215881c12303b243a0d0e7

  • SHA512

    48f239b031592ef65c4059ad39c91ed0c434b9dc61b3f4a57d94d5b0c58f07be573d6b6eb7b8418ba27350f2714a9f1bf9786e73913f7efafcc832e2dcdbbd2d

  • SSDEEP

    12288:DhX0D9CQStfAheg7w2PUXWkdzyeNaoURCReJKv0+OOt8PYuTBQ5JNHrU32bWrM9D:h0DUY7TsfdHaoUR818CyPY34HA9gW

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.rusticpensiune.ro
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    99AM}+NZ&CCq!4Vq)9!(zXx01.lQ!~nS.fBnY,4Z~fjHnGo*B3Gd;B{Q1!%-Xw--%vn^0%nt

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.rusticpensiune.ro
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    99AM}+NZ&CCq!4Vq)9!(zXx01.lQ!~nS.fBnY,4Z~fjHnGo*B3Gd;B{Q1!%-Xw--%vn^0%nt

Targets

    • Target

      VESTA_24060318938029921.exe

    • Size

      915KB

    • MD5

      830b5a3666861df17fa06afe6bb57170

    • SHA1

      811442711733dde2cf3f711dcdae0cc38b9e6008

    • SHA256

      4059d6ba1b86931e0b8ff5122dde1643020cd13afde2e33d4772e01358c35284

    • SHA512

      7ea8c880d63efdcedec6c1aa1a182d7c2dd5e0ac670c1ec6312dad221509212e9be2b198870fbfe4f6f700a7fdaf1c1dfd95df70ab20448d292a5aa74a239f87

    • SSDEEP

      12288:nhX0D9CQStfAheg7w2PUXWkdzyeNaoURCReJKv0+OOt8PYuTBQ5JNHrU32bWrM9D:d0DUY7TsfdHaoUR818CyPY34HA9gW

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks