General

  • Target

    New Order.zip

  • Size

    597KB

  • Sample

    240625-kc1kcssblr

  • MD5

    94f4614da149d60a452c3263e2579c73

  • SHA1

    08d3e46744ffb2bbdb7c7209ec3c92cbde7f53e6

  • SHA256

    5845cea9e4de829d43d165bf7534ae18c4f3b97d599aeac0712448dffc470d67

  • SHA512

    d4c368d90607fb578826dd3b8100cb5c6890ac6314753b7f3a831f37228ab136441c0ca5d40feddbda124750642b87c2ce8d5e51c7c0bc6e1bb6bf5f0ab5bdb6

  • SSDEEP

    12288:pp2pLwTu0K6t7pvOksPc/1zDUDB+VjB4eFL12hiSxUWrdva94szaMxW3:pRTufUp2vU/1zDRNFghiSxxva2szi

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.chachitos.com.mx
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Miguel#2021@@

Targets

    • Target

      gdC5AKTv6RiIgyr.exe

    • Size

      627KB

    • MD5

      76833b147943848963f23afc9e6e1f5d

    • SHA1

      e21b52602530d829e2a20cbe14187e9c07560a08

    • SHA256

      fd05577096a8cf7e8a3955da0412f698199b9d2f53bea732351b7f2eb18819ce

    • SHA512

      82685751264e4a3bdac8bfa1a6d4db0b495909618bdd6612b1aa8456010d4f07aadbdd8063512973d51ac88bf6b5277f0591095a1a1860813c42030f88dff130

    • SSDEEP

      12288:+OuWLJLlqkK6t7pv/HqMmcMglzWkJFRa1J352/jvjb12biSJ6ImMKVVwtN:+2UUpRmHgljJFRuJ352/LjwbiSeMKV

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks