General

  • Target

    5da30a81eda57e352ebeb7d2e990fdd15052c9a58204201df853a475c8a6492c

  • Size

    1.0MB

  • Sample

    240612-cbz87sycjq

  • MD5

    3a49dfbebcec55be9350e0b993e84ab2

  • SHA1

    cc7fc80c9724c485ff24ebaa34dd169d3ab93415

  • SHA256

    5da30a81eda57e352ebeb7d2e990fdd15052c9a58204201df853a475c8a6492c

  • SHA512

    4601c86fa6fcd959137df90476af15b1b5e0f306cb6ff1ea9262bf5c02c89007d76fc7066a820958677260254d92145b363ae7e5498db541291fa740a488598b

  • SSDEEP

    24576:+g61jjk0LAta9AbDIcQfJ8B/gDmusXbQ38cv8nuEOwx2a:b1B/g1sXE8cxExka

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.jeepcommerce.rs
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    YeAiGo[)yv#k

Targets

    • Target

      5da30a81eda57e352ebeb7d2e990fdd15052c9a58204201df853a475c8a6492c

    • Size

      1.0MB

    • MD5

      3a49dfbebcec55be9350e0b993e84ab2

    • SHA1

      cc7fc80c9724c485ff24ebaa34dd169d3ab93415

    • SHA256

      5da30a81eda57e352ebeb7d2e990fdd15052c9a58204201df853a475c8a6492c

    • SHA512

      4601c86fa6fcd959137df90476af15b1b5e0f306cb6ff1ea9262bf5c02c89007d76fc7066a820958677260254d92145b363ae7e5498db541291fa740a488598b

    • SSDEEP

      24576:+g61jjk0LAta9AbDIcQfJ8B/gDmusXbQ38cv8nuEOwx2a:b1B/g1sXE8cxExka

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks