General

  • Target

    47e742b319284f94cdfa31df7fdaf5d3a6e4edda95116029238c06cdfd88d946

  • Size

    639KB

  • Sample

    240619-cz3n8swgnr

  • MD5

    54a37ef37fc5f7fae765f026ec1b12a1

  • SHA1

    209c650a4f10566a77f66b42e1e28ac2ef44739f

  • SHA256

    47e742b319284f94cdfa31df7fdaf5d3a6e4edda95116029238c06cdfd88d946

  • SHA512

    78a6abd52a83dff67a2014ea3f0b61083e2e3f93db999d39387109076ef11c76fc8e4d832cce2db995cfaaab1630aa96331ce09b6a01efe425a09a69eff8c88f

  • SSDEEP

    12288:Q6S2fQ7ORTLD8Wjf4pw1wPOp08vIhtfck6qYAgVjvP8kF:XSyQuTzXw2pvi1cCxY8c

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.fosna.net
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    u;4z3V.Iir1l

Targets

    • Target

      RFQ#12P Introduction approved vendor.exe

    • Size

      1.0MB

    • MD5

      4b2392f37ab413cb037267617626efed

    • SHA1

      ceb32e52c9292c0f965c1f2a3c61fb3bb95999ff

    • SHA256

      1dcdee301091e79fda8c1ce30dd1ac39e912aed3720163a23b1f2d688635ceee

    • SHA512

      c63c2b77332b07df4364a302ba366a7faaeec28b184d9a74b21ab69ca1323cb515add9afee9e98a2ee7a138526901d49f3ec39555033f366e8299f340fffb9ec

    • SSDEEP

      24576:IAHnh+eWsN3skA4RV1Hom2KXMmHanl1rejVV5:Ph+ZkldoPK8Yannej5

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks