General

  • Target

    13092024031512092024DHL..bat.lzh

  • Size

    572KB

  • Sample

    240913-gxe8dayelb

  • MD5

    c1f17ecebc72a149960cfaa053a42d3d

  • SHA1

    58e7db773991b1cbbb51de936470c94e907dbd05

  • SHA256

    7aab3ccad2c9e2eae8f82c7db33fe5dbbbdde2779e5df2fbce1c6363dacae781

  • SHA512

    63976b9bfb6b93191a5526af0272898bcd2dea8894183e9869606290d64adb95e50768b649213a4240f777245b697b2d749c8b150c5772ee5d52c602f1ad2cdb

  • SSDEEP

    12288:zqHKSYoPvFtOrwAf8XMMYoxV8ERIqkODhB8CLD+pySOTJtl1EcUOY8KZWbU6L:2Oq9Q/gBYoH/rhvLCU/TJPDRY8KMg6L

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.solucionesmexico.mx
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    dGG^ZYIxX5!B

Targets

    • Target

      ΕΓΓΡΑΦΟ ΤΙΜΟΛΟΓΙΟΥ DHL Ελλάδα Α.Ε.bat.exe

    • Size

      100.0MB

    • MD5

      091cf2e005afc7393a16a1644e19af9c

    • SHA1

      489ca79f7b9cc5af77c9d281e2b5b8289d49bd30

    • SHA256

      8b4d29d39c1085b7e1fa42bbbb8a0b38b8ae615eaa1d152f4c09756fde5f1b23

    • SHA512

      4619afb10efa219156acbcf08aba716f2c5cd35b6f0f4fbdad94fb0dcfc840565324161f529a844560fada11f019211d687a44ae21b909ce32592539807fed50

    • SSDEEP

      12288:LXe9PPlowWX0t6mOQwg1Qd15CcYk0We1F2OKY4+5PMmXICU9t6j:ShloDX0XOf43h4bmXIC2G

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks