General

  • Target

    12092024_0750_11092024_Shipping documents 0002939948400055.img

  • Size

    1.8MB

  • Sample

    240912-jpctdsyejf

  • MD5

    1e6cbca6ef639621a17c4d7a1d4411bd

  • SHA1

    1c83919263caf406edadebed9f2907dbabfabc24

  • SHA256

    1118c8d34d9c81654ec02a29655ee018a1e781515be0b81f98ebac809be53c6d

  • SHA512

    a5b60da805ad31d8d728574ed6f87b4eca72894baa50e59459a59e8ffd4e900c3474ac183f34592876fdb22a8578cee13ad74412cc019301c50280557ca1b2fe

  • SSDEEP

    12288:XNYnJyPKtca75RqRF6UxaKPHDM18qwdNcQeRFoubL0KZ1YkE9bMRvQSsHc69+c:yTma75ARF6Ux9HDe8felYUmHc69+c

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ro}UWgz#!38E

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ro}UWgz#!38E

Targets

    • Target

      Shipping documents 0002939948400055.exe

    • Size

      1.3MB

    • MD5

      b4c7e0b0ef40ea0f57b6b265158e087f

    • SHA1

      da9c36b3eb690cbd15cd0a19ee6beae39191b7f7

    • SHA256

      8025e068e401764653aed170b3a0b07c5ed8c327f80e8d5b5f7d8ae3b0f44eaa

    • SHA512

      efb7488ba4c8243cf76414b5629c4bc29405109ba875f50d84a8f7cdcb468dbfd41a7422a2d621227c129a0afd977209aa0a2d6abf3ddc366feccba9c1340ac5

    • SSDEEP

      12288:7NYnJyPKtca75RqRF6UxaKPHDM18qwdNcQeRFoubL0KZ1YkE9bMRvQSsHc69+c:GTma75ARF6Ux9HDe8felYUmHc69+c

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks