General
-
Target
dd18dd6759f8f926928be4b70e93ca3c44bce634b3c494b742f58356ba811670.rar
-
Size
589KB
-
Sample
240914-cdpv9a1hmd
-
MD5
52f6e456c980694df14d23bdf39a9225
-
SHA1
5eeb3e06effccf5170a387f6dbd0bb30e32c7e70
-
SHA256
dd18dd6759f8f926928be4b70e93ca3c44bce634b3c494b742f58356ba811670
-
SHA512
0c7be91e90d88b0b5881606032e37384c179ee63ba2d63a6699f2003fd4fc987101cda6ec11a8fdf4c226731305b5a2f63b715e1a04fa3040796d10e3a8844cf
-
SSDEEP
12288:QS/nIUNeVFZOZnfX7bCGEzg5eqa5EU+qFUToF3O3BcxRTtL9t:QS/laFMfLbCGEz5v+qTF3xTRP
Static task
static1
Behavioral task
behavioral1
Sample
Vessel's details_pdf.scr
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Vessel's details_pdf.scr
Resource
win10v2004-20240802-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://cash4cars.nz - Port:
21 - Username:
[email protected] - Password:
-[([pqM~nGA4
Targets
-
-
Target
Vessel's details_pdf.scr
-
Size
640KB
-
MD5
61217d7c7664881d1d97df8a3c539cc4
-
SHA1
c6f020de1f91d2e82883ad60056429f9ef20684a
-
SHA256
d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db
-
SHA512
aec3b2061111850e384e847720cf572291d7e9eed8a012345ba34ac855396e1422ce9b8362efe85d857daf08cb63d9df0397daa7d127e08b62ab85fa7cb4a028
-
SSDEEP
12288:S0gFxlwGD/ERhZ3YtrWPciSFxUTjKjdAwDxnmYXuFGDDhXH:i7zMhhur1iSOjsdAMxmIAO
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1