General
-
Target
12092024075011092024Shippingdocuments0002939948400055.img
-
Size
1.8MB
-
Sample
240912-wmss2swhrg
-
MD5
1e6cbca6ef639621a17c4d7a1d4411bd
-
SHA1
1c83919263caf406edadebed9f2907dbabfabc24
-
SHA256
1118c8d34d9c81654ec02a29655ee018a1e781515be0b81f98ebac809be53c6d
-
SHA512
a5b60da805ad31d8d728574ed6f87b4eca72894baa50e59459a59e8ffd4e900c3474ac183f34592876fdb22a8578cee13ad74412cc019301c50280557ca1b2fe
-
SSDEEP
12288:XNYnJyPKtca75RqRF6UxaKPHDM18qwdNcQeRFoubL0KZ1YkE9bMRvQSsHc69+c:yTma75ARF6Ux9HDe8felYUmHc69+c
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.concaribe.com - Port:
21 - Username:
[email protected] - Password:
ro}UWgz#!38E
Extracted
Protocol: ftp- Host:
ftp.concaribe.com - Port:
21 - Username:
[email protected] - Password:
ro}UWgz#!38E
Targets
-
-
Target
Shipping documents 0002939948400055.exe
-
Size
1.3MB
-
MD5
b4c7e0b0ef40ea0f57b6b265158e087f
-
SHA1
da9c36b3eb690cbd15cd0a19ee6beae39191b7f7
-
SHA256
8025e068e401764653aed170b3a0b07c5ed8c327f80e8d5b5f7d8ae3b0f44eaa
-
SHA512
efb7488ba4c8243cf76414b5629c4bc29405109ba875f50d84a8f7cdcb468dbfd41a7422a2d621227c129a0afd977209aa0a2d6abf3ddc366feccba9c1340ac5
-
SSDEEP
12288:7NYnJyPKtca75RqRF6UxaKPHDM18qwdNcQeRFoubL0KZ1YkE9bMRvQSsHc69+c:GTma75ARF6Ux9HDe8felYUmHc69+c
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1