General
-
Target
Trojan.MSIL.Taskun.AMA.MTB-c75134c43e97b75bca4ced11b721253c5774cb0a78184acdc5c55580aa07df85-NeikiAnalytics
-
Size
699KB
-
Sample
240915-r3r48sybnb
-
MD5
ace395f2b26c4c2cacdac246367c2060
-
SHA1
28a7e06e9c884a6bd19e2a72a707deddc926c8f7
-
SHA256
c75134c43e97b75bca4ced11b721253c5774cb0a78184acdc5c55580aa07df85
-
SHA512
38ca34874df309e5ccc849614b3800a0f487920ee3c2b6c076eb7b5717807eb510257ad07a321b455280ed12ecaa8d7ce47e847a8989d79a07d6b7aab24ce5be
-
SSDEEP
12288:HwPjab8rnxCwK1BWng4WYEAH9Dd3Qc9cLWM9WiR6i6Qc7JYdViwt5XH:HwjabiCwwQng4tE2t2Kf+/OJ4iw5
Static task
static1
Behavioral task
behavioral1
Sample
Trojan.MSIL.Taskun.AMA.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Trojan.MSIL.Taskun.AMA.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://beirutrest.com - Port:
21 - Username:
[email protected] - Password:
9yXQ39wz(uL+
Extracted
Protocol: ftp- Host:
beirutrest.com - Port:
21 - Username:
[email protected] - Password:
9yXQ39wz(uL+
Targets
-
-
Target
Trojan.MSIL.Taskun.AMA.MTB-c75134c43e97b75bca4ced11b721253c5774cb0a78184acdc5c55580aa07df85-NeikiAnalytics
-
Size
699KB
-
MD5
ace395f2b26c4c2cacdac246367c2060
-
SHA1
28a7e06e9c884a6bd19e2a72a707deddc926c8f7
-
SHA256
c75134c43e97b75bca4ced11b721253c5774cb0a78184acdc5c55580aa07df85
-
SHA512
38ca34874df309e5ccc849614b3800a0f487920ee3c2b6c076eb7b5717807eb510257ad07a321b455280ed12ecaa8d7ce47e847a8989d79a07d6b7aab24ce5be
-
SSDEEP
12288:HwPjab8rnxCwK1BWng4WYEAH9Dd3Qc9cLWM9WiR6i6Qc7JYdViwt5XH:HwjabiCwwQng4tE2t2Kf+/OJ4iw5
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1