General

  • Target

    0097-CGM CIGIEMME S.p.A.exe

  • Size

    3.4MB

  • Sample

    240625-mrwaasvdqd

  • MD5

    9e35067d3f1f07f70be1511573e3361a

  • SHA1

    3e5585bc6da1df4e7efdcb21875e62bfa42939c4

  • SHA256

    c270dab4061bd86028a27bedf92f321be6a48043bdcde018d29dee620cd88b5d

  • SHA512

    7151dfd134f5b82a4f45030022deac123d53007edfae5009119960272ba587e0639aeb7e80e134106dce363716b4d6a39cccf02aa1ab16a4f2654a878f1eea39

  • SSDEEP

    12288:Xci9165SOaPkCv/vCC/gK5ezStdCtJIIGLA5bjGWemghjEPIuT:7ejuLXvp5ebtWIGLCbfghjSX

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.ercolina-usa.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    uy,o#mZj8$lY

Targets

    • Target

      0097-CGM CIGIEMME S.p.A.exe

    • Size

      3.4MB

    • MD5

      9e35067d3f1f07f70be1511573e3361a

    • SHA1

      3e5585bc6da1df4e7efdcb21875e62bfa42939c4

    • SHA256

      c270dab4061bd86028a27bedf92f321be6a48043bdcde018d29dee620cd88b5d

    • SHA512

      7151dfd134f5b82a4f45030022deac123d53007edfae5009119960272ba587e0639aeb7e80e134106dce363716b4d6a39cccf02aa1ab16a4f2654a878f1eea39

    • SSDEEP

      12288:Xci9165SOaPkCv/vCC/gK5ezStdCtJIIGLA5bjGWemghjEPIuT:7ejuLXvp5ebtWIGLCbfghjSX

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • UAC bypass

    • Windows security bypass

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks