General

  • Target

    09072024_0938_09072024_0098-432.IMG

  • Size

    1.2MB

  • Sample

    240709-ll2pfsxbpj

  • MD5

    ece4ec11900048ff532d23140c753c60

  • SHA1

    007a4e5a173d376211115a060bf74b31b54bfba9

  • SHA256

    9b4b08df3d4c1b28e9d6155edd08d844cb91051910007fe458bded8139fb228c

  • SHA512

    1cde5800ad207224abfc7d7ba2f758ea07f7ef5bc5b7b9b910ee26768cc1cac494046693a1a17d10b87e3d3045f925b9b0a1554354769c02648d6a4a21f08dc2

  • SSDEEP

    12288:5gPut44ew0JzpED/IrP8R+M8BzIRyR947dr7tBL:i1Fw03S/uPDM8RIQ4Jd5

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://mail.hearing-vision.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    LILKOOLL14!

Targets

    • Target

      Ungutturally.bat

    • Size

      457KB

    • MD5

      dc19646e2fb2a570c359460628e8d122

    • SHA1

      60a930c4b6740bc5cd48894387f9d893fc49cc49

    • SHA256

      d16dbafb5626e7299ec1deb1f87872b3fcd8f653c30bf99da53f5271003fe731

    • SHA512

      659028c4d9c72489089b724c0c8c608eec3c01a7e3392a0d6b6258c3cdea757c81abf0a41e9cf82c341a4b4e17f4bd98ca17ae6c1b10895276084298cf4bb9b5

    • SSDEEP

      12288:OgPut44ew0JzpED/IrP8R+M8BzIRyR947dr7tBLb:B1Fw03S/uPDM8RIQ4Jd5b

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      a4dd044bcd94e9b3370ccf095b31f896

    • SHA1

      17c78201323ab2095bc53184aa8267c9187d5173

    • SHA256

      2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

    • SHA512

      87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

    • SSDEEP

      192:em24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35OlESl:m8QIl975eXqlWBrz7YLOlE

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks