General

  • Target

    1148-6-0x0000000000E00000-0x0000000000E42000-memory.dmp

  • Size

    264KB

  • Sample

    240612-g5qzvasgnb

  • MD5

    db3509b6ed192c1cccb0997dc0aad24c

  • SHA1

    96962c795d15f33d8886648e03277163737535d4

  • SHA256

    0ae807dd157e9c5b99a5b6e4a13a193cf5381f1e4db1aa1a7ead5e686b4b1de2

  • SHA512

    63e2cb52933664ddfccb6a58fd1316454726cb31631073baeda9d55fb446ae162ddf8871aad032185dd562046f8a2c53902eb0caacefe27938b728ebe9d0df4b

  • SSDEEP

    3072:aQYWwEgsgSh73KAG9ifNZG04jGD5/xh7YXaov:7YWwEgsgSh73KL9ifm04yVb7B

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.jeepcommerce.rs
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Cgn+Udqt0F%y

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.jeepcommerce.rs
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Cgn+Udqt0F%y

Targets

    • Target

      1148-6-0x0000000000E00000-0x0000000000E42000-memory.dmp

    • Size

      264KB

    • MD5

      db3509b6ed192c1cccb0997dc0aad24c

    • SHA1

      96962c795d15f33d8886648e03277163737535d4

    • SHA256

      0ae807dd157e9c5b99a5b6e4a13a193cf5381f1e4db1aa1a7ead5e686b4b1de2

    • SHA512

      63e2cb52933664ddfccb6a58fd1316454726cb31631073baeda9d55fb446ae162ddf8871aad032185dd562046f8a2c53902eb0caacefe27938b728ebe9d0df4b

    • SSDEEP

      3072:aQYWwEgsgSh73KAG9ifNZG04jGD5/xh7YXaov:7YWwEgsgSh73KL9ifm04yVb7B

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks