General

  • Target

    53cb921c892a4af5e396a5be5bc92887fd7465cd65023814e615ff542b5d6c93

  • Size

    609KB

  • Sample

    240913-k4p8pswbrb

  • MD5

    78299368b12478ca17c82f296be76805

  • SHA1

    521ad7504cb1bbe3fb30f451c6539eaf5fa48fea

  • SHA256

    53cb921c892a4af5e396a5be5bc92887fd7465cd65023814e615ff542b5d6c93

  • SHA512

    1d5eb40f0191486ba21bfd4530c2d33b783c38cb78245a933f4b931fc1d115e722a1323e8620c621127dc557e3d44b29857b0953668b07df2911e301a8773d5c

  • SSDEEP

    12288:lRD8H7QFnKWcACE/iYdaFfCyTyNoND2pjbRedisXW6lYobZGBLiJ:lJ8bEn1cACgAVTyN8DudUisXWYYobZI8

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.haliza.com.my
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    JesusChrist007$

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.haliza.com.my
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    JesusChrist007$

Targets

    • Target

      ae7c268e9b988e9fa86380095f0a5cbb7d04024505c01dab09feed5ab8551b8d.exe

    • Size

      631KB

    • MD5

      016008b0ef5f86ef850df3cb587970ed

    • SHA1

      f571d31d9bc2e8229298f4850fddb17903b0854c

    • SHA256

      ae7c268e9b988e9fa86380095f0a5cbb7d04024505c01dab09feed5ab8551b8d

    • SHA512

      8e86686f0438bcbfedc4307d618ee9f900b58c2bf8ff34c5c66f9ddfa5dc62495dbc7e12f9b1d39f5a6c7e5450867a6441eec2a9d6ecf58dbd9976b4f2c03df3

    • SSDEEP

      12288:lP7kv+SxK+zaXwOUc49cb4T9uJ7Rfp5L22Vv0xQ0L7B5S5:lPonxK+aXvUZGbfpRfp5HV8xQC5

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks