General

  • Target

    c5a66daf8a49bd675d71736d7a81366f

  • Size

    1.0MB

  • Sample

    240913-16c9xssfke

  • MD5

    c5a66daf8a49bd675d71736d7a81366f

  • SHA1

    5d0312e80a42f82914eca818e3206dba210cd2b8

  • SHA256

    56287adf7892b0d48ce32ace863e4e403f51dc20eba9e422602fb61bb667a5f1

  • SHA512

    f5b895fcf58dc665308bc56862b3f6eba43f5783f305d4e0992f8c46b5c867e083f8946100d5cb59a437a01c3ba633946a1e9256727c5033c21c0322538c3c0e

  • SSDEEP

    24576:p4lavt0LkLL9IMixoEgea5QRYRCeS0D8qWwq9MmCS:4kwkn9IMHea5Q2R3S0D8qPaPCS

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.stingatoareincendii.ro
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    3.*RYhlG)lkA

Targets

    • Target

      c5a66daf8a49bd675d71736d7a81366f

    • Size

      1.0MB

    • MD5

      c5a66daf8a49bd675d71736d7a81366f

    • SHA1

      5d0312e80a42f82914eca818e3206dba210cd2b8

    • SHA256

      56287adf7892b0d48ce32ace863e4e403f51dc20eba9e422602fb61bb667a5f1

    • SHA512

      f5b895fcf58dc665308bc56862b3f6eba43f5783f305d4e0992f8c46b5c867e083f8946100d5cb59a437a01c3ba633946a1e9256727c5033c21c0322538c3c0e

    • SSDEEP

      24576:p4lavt0LkLL9IMixoEgea5QRYRCeS0D8qWwq9MmCS:4kwkn9IMHea5Q2R3S0D8qPaPCS

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks