General

  • Target

    d04a4d35f420685b9d2c4f8ed2e2f46944894e0a80352f0aab3f4f522e5355fe

  • Size

    749KB

  • Sample

    240612-cek9fsycnd

  • MD5

    8dd9373d457f7ee5be8c225d96959a61

  • SHA1

    c581ca78b6e63595857ec50bed893cc009a8672d

  • SHA256

    d04a4d35f420685b9d2c4f8ed2e2f46944894e0a80352f0aab3f4f522e5355fe

  • SHA512

    f26a89f6d0b06e841302c6625ccaf9f582ad412e8c84014e466a6528ea2ee737f5e201ddb887b454f56e81022d038c242c17e15f6c722660eb89a267f53e14f7

  • SSDEEP

    12288:N0ZXK+qX83NIpvTjU6lNF584kJTYRvuGWywwzJs35QDe1d6ZH6zhfKt+KfuZ:NsXK+q83NIpvT5lf5847RvuGnwwzJs3h

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.jeepcommerce.rs
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    YeAiGo[)yv#k

Targets

    • Target

      PO HOI-2024-055.exe

    • Size

      1.0MB

    • MD5

      1483ef78efe6ae4636ba2888d09ebd8d

    • SHA1

      f7551c0b1583db6a5a5323abb659084d66fa9117

    • SHA256

      51991927ba3cf9049da35e9104b96129bbff2389c24ccf09b767ddde8dc78b5e

    • SHA512

      3a47d2463e0433ee5c42f7744718dea4d8d9b71f21f609669f65415f041f4672c2aa66ed13724f683ffbc577a40446c871e73e998da02412f67e76af0182b5cc

    • SSDEEP

      24576:gg61jjk0LAta9APDIMOzJFvzTwCzTQbbxViUSX8wx2a:hdOzLv/pMbbxVjSXDka

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks