General

  • Target

    19062024_1623_19062024_Hecker Glastechnik - Bestellung #009449.PDF.R00

  • Size

    81KB

  • Sample

    240619-tvxqvsxhmr

  • MD5

    adeba254d4856f8b56bab22e5f4762bb

  • SHA1

    126b9a7fbc6f680f2d34f5ef2466fe99d501cd96

  • SHA256

    444e0f78ff10d8f982255fad69643a04d657fcf90d32aa11ba5c0c99e41aa5bf

  • SHA512

    16dd72d7134c377d436dc681eff1f7f2fb237f85d4969689d0973306a810e1cd2c4d2004993dc5fde7be242218340b6a0478cc4f9caa4c4faa3cd5447fb40a50

  • SSDEEP

    1536:f7mcJRwNQMQfFp0AQ9FKCdP0jgBEMaIEmSK18gHaGJ9xiNTMU5n65mLJ/QVZki:aWR2AaAQd0jgBED2h8ZG7xidMO65SJQB

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ro}UWgz#!38E

Targets

    • Target

      Hecker Glastechnik - Bestellung #009449 PDF.wsf

    • Size

      206KB

    • MD5

      e45509b2d0a7e32fc8d37d9396e9c996

    • SHA1

      d3e24fd1fad2a43b398dda3a323c9f1505d00cd5

    • SHA256

      a595420db53980c067e7d19ea8492841aab2b13b83a9f9ec37c22742505c41cc

    • SHA512

      2eed02b6b88ec2d3abbf4468b82ae6b45ec273f9719b77d7e0378aaba1276e5012022bbd6305c40260b976bd4c39baa0d9de4fd2f9de65ed0b8be8a3e73588fc

    • SSDEEP

      6144:ocpTPh8jo05VyISgHvr2E7qJAa0vRg6JiwMgRYs6MVgzFzY3Wyvq2tP7KtEB44:+HJ4SWaF

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks