General

  • Target

    MV TB QUANZHOU FULL DESCRIPTIONS 18-06-2024.exe

  • Size

    1.4MB

  • Sample

    240618-ss15tsyhrf

  • MD5

    4f28e13fed437e82ac249902f4f6a2c5

  • SHA1

    0dfbf2130e050e55a54680e5bbf68850233aaf93

  • SHA256

    615220f794e0a78c563dcec24f6ddfe01fc518a720ed3231f0cdd8733247fcaf

  • SHA512

    e2613e4f277a6c5e2bd9ed844ec1b7afa04eb5f6692ecaf7a3d6a0ced414c0efe2cf541daa433edd89a9bfd4fe7a4cf636d88dc13024848155eec407f0ef9282

  • SSDEEP

    24576:cAHnh+eWsN3skA4RV1Hom2KXMmHanpl08MR/j+4SJblmurHLFE5:7h+ZkldoPK8YanpfMR/j+48Lrc

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.kenvue.cam
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    adreport12345

Targets

    • Target

      MV TB QUANZHOU FULL DESCRIPTIONS 18-06-2024.exe

    • Size

      1.4MB

    • MD5

      4f28e13fed437e82ac249902f4f6a2c5

    • SHA1

      0dfbf2130e050e55a54680e5bbf68850233aaf93

    • SHA256

      615220f794e0a78c563dcec24f6ddfe01fc518a720ed3231f0cdd8733247fcaf

    • SHA512

      e2613e4f277a6c5e2bd9ed844ec1b7afa04eb5f6692ecaf7a3d6a0ced414c0efe2cf541daa433edd89a9bfd4fe7a4cf636d88dc13024848155eec407f0ef9282

    • SSDEEP

      24576:cAHnh+eWsN3skA4RV1Hom2KXMmHanpl08MR/j+4SJblmurHLFE5:7h+ZkldoPK8YanpfMR/j+48Lrc

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks