General

  • Target

    dd18dd6759f8f926928be4b70e93ca3c44bce634b3c494b742f58356ba811670.rar

  • Size

    589KB

  • Sample

    240914-cdpv9a1hmd

  • MD5

    52f6e456c980694df14d23bdf39a9225

  • SHA1

    5eeb3e06effccf5170a387f6dbd0bb30e32c7e70

  • SHA256

    dd18dd6759f8f926928be4b70e93ca3c44bce634b3c494b742f58356ba811670

  • SHA512

    0c7be91e90d88b0b5881606032e37384c179ee63ba2d63a6699f2003fd4fc987101cda6ec11a8fdf4c226731305b5a2f63b715e1a04fa3040796d10e3a8844cf

  • SSDEEP

    12288:QS/nIUNeVFZOZnfX7bCGEzg5eqa5EU+qFUToF3O3BcxRTtL9t:QS/laFMfLbCGEz5v+qTF3xTRP

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://cash4cars.nz
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    -[([pqM~nGA4

Targets

    • Target

      Vessel's details_pdf.scr

    • Size

      640KB

    • MD5

      61217d7c7664881d1d97df8a3c539cc4

    • SHA1

      c6f020de1f91d2e82883ad60056429f9ef20684a

    • SHA256

      d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db

    • SHA512

      aec3b2061111850e384e847720cf572291d7e9eed8a012345ba34ac855396e1422ce9b8362efe85d857daf08cb63d9df0397daa7d127e08b62ab85fa7cb4a028

    • SSDEEP

      12288:S0gFxlwGD/ERhZ3YtrWPciSFxUTjKjdAwDxnmYXuFGDDhXH:i7zMhhur1iSOjsdAMxmIAO

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks