General

  • Target

    48f845c33f790a9cf74760a5a8aa6ce48cfcab9eb0053f6b983333e6f2c6e828

  • Size

    608KB

  • Sample

    240915-k9t4vaxakm

  • MD5

    f9d3bf5abef1a65da94302943e55489d

  • SHA1

    e5d51928351174acb17b98aa6d6957fa1ed61cc7

  • SHA256

    48f845c33f790a9cf74760a5a8aa6ce48cfcab9eb0053f6b983333e6f2c6e828

  • SHA512

    9f24ce077aa59de9977bd5a72a145d6c0cfd2d8dcbe1053a5a7243844f91f74b3b189aa4d8c30cbbe5375abfe6ba15e9ebd70960d9b4e54304d1e5de97bdb7d7

  • SSDEEP

    12288:JnDMGuXoIy5jC37kvIgp1SS6ffTWwchhhoFVxmggPQnwf2Oy3:a2IypqcIEtMfqwbFsPQnwf2Oy3

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.antoniomayol.com:21
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    cMhKDQUk1{;%

Targets

    • Target

      INVOICE09876545J.bat

    • Size

      633KB

    • MD5

      38febc8fe240353eab810eeedc379961

    • SHA1

      4145de7c3f531f10c786d09302923f0572244d53

    • SHA256

      eb59c6e8a42daf2f27f8112f109e563128e0d2b3a4cd9a074832e68e75cb9870

    • SHA512

      a276a728bf50085a0aa2902ef4dbc97a88d6b4428a2ee1a75474382b451ebe8bec3bc126845d470540df06f72004c9ec3a6481f3ecfaa6446719910f3b9490b5

    • SSDEEP

      12288:tz7hU5I5yuNHIgzSFKxWltRohBfSTso93UCv1hNhcFVxO4ePQnAf2Oy15:tf+iN57Gtene3lMFYPQnAf2OyH

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks