General

  • Target

    499df614b640e6e6531f32ceb3271d7d661f5256d49f57e9d360a4791d37943f.exe

  • Size

    2.3MB

  • Sample

    240914-bqltpazblp

  • MD5

    634121b2af66dd5433c1155702abc84c

  • SHA1

    f3fd2a1800c4272bdf8209ff47e3703a4923e699

  • SHA256

    499df614b640e6e6531f32ceb3271d7d661f5256d49f57e9d360a4791d37943f

  • SHA512

    60786abdb281fe3f4fc4e242434fb280271684f13b683dc9cd32ac1a6e29ba496cea2c22ee1a82fa9dd6896f6530e9a0c07e2245ee35fc6100f7d684623bc805

  • SSDEEP

    12288:tuEAmDY2kyLG/XModp1HmKwHfX7ZWezHiLfdHcWJWnVMaKo9Nip2IiUlbtgfXD70:cM9y3QvpHiLFcVVMaP9Nip7lbtgfT70

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.fosna.net
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    u;4z3V.Iir1l

Targets

    • Target

      499df614b640e6e6531f32ceb3271d7d661f5256d49f57e9d360a4791d37943f.exe

    • Size

      2.3MB

    • MD5

      634121b2af66dd5433c1155702abc84c

    • SHA1

      f3fd2a1800c4272bdf8209ff47e3703a4923e699

    • SHA256

      499df614b640e6e6531f32ceb3271d7d661f5256d49f57e9d360a4791d37943f

    • SHA512

      60786abdb281fe3f4fc4e242434fb280271684f13b683dc9cd32ac1a6e29ba496cea2c22ee1a82fa9dd6896f6530e9a0c07e2245ee35fc6100f7d684623bc805

    • SSDEEP

      12288:tuEAmDY2kyLG/XModp1HmKwHfX7ZWezHiLfdHcWJWnVMaKo9Nip2IiUlbtgfXD70:cM9y3QvpHiLFcVVMaP9Nip7lbtgfT70

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • UAC bypass

    • Windows security bypass

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Looks for VirtualBox Guest Additions in registry

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks