General

  • Target

    13092024_0412_12092024_HAWB No Original 2 - (for Consignee) - HAWB No_ D889163[2].pdf.bat.bz2

  • Size

    584KB

  • Sample

    240913-esvfdsthne

  • MD5

    7093258960a3163ca9d784d4de9dbae7

  • SHA1

    b939198c51675c7a99c1ce641a62feeda3f27bdc

  • SHA256

    367dfffe5b481ea41845028453d6c1dbe7ffa9b214c509946a7ffccbd80cf622

  • SHA512

    bff604f730fb8bb67c60da4241d4c8e557c88326473c09cc604c24fc1ec2826f2e65800c80b977b63b6719bc0b095bbf14808d06693e74a9cc81ed1551fdeb79

  • SSDEEP

    12288:z8Z4bJ31v9oibrEjtXXqx3TQ85NASFE9WHHGtSIGrAJ/s+O2D3kzn:z7bR1uwEhHqxTQ8RFG2ksyg

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.solucionesmexico.mx
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    dGG^ZYIxX5!B

Targets

    • Target

      HAWB No Original 2 - (for Consignee) - HAWB No_ D889163[2].pdf.bat.exe

    • Size

      100.0MB

    • MD5

      06359c881acaf0b5fae99f212a6a224f

    • SHA1

      f3a946aaeab510541245e172070f41d0d84caf2b

    • SHA256

      cf13092b0f85ac7a68901d82f210a5e68de6d47fd877a6b21e42dc4341a0fb11

    • SHA512

      8dd4e2a9647f25e2f4ceec7ea20373d8431ad07691a55a46456884c4263467423dce7e598249242ca86f1a84100212ff27ae2293ef07ba0ff1365ce41436fa67

    • SSDEEP

      12288:uXe9PPlowWX0t6mOQwg1Qd15CcYk0We1FH4l6/B/yAzUAxLMT4J:DhloDX0XOf4X/yAzUYI4J

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks