General

  • Target

    Remittance_slip‮fdp..exe

  • Size

    1.6MB

  • Sample

    240915-x1g45szakp

  • MD5

    6c1c6a49edcabab2dafc014937cd388d

  • SHA1

    03fb8fe4ecfb3f3967a6eee4edb1faf2b19c1924

  • SHA256

    998328ecd3a13fd3287f88e37119064b3a4094d2e935786a5327d47e4ed4466b

  • SHA512

    22c1e0cecfa8a7900fef22eeea9b4cd555bb3fef2b681ef464c2a6aac65990ce25acc399c17cbc57df238f26fb4bdb10da829163a78a3713994d95407d4a8b70

  • SSDEEP

    12288:ixEAmDzLDXtfwweWBc6IutzOBk+uynC6h/kUBPtKB/KN4+szCuVR32gWYXKP:caLDXtfwwVBPtzEJhBVKI4ZCuPmDYXKP

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.fosna.net
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    u;4z3V.Iir1l

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.fosna.net
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    u;4z3V.Iir1l

Targets

    • Target

      Remittance_slip‮fdp..exe

    • Size

      1.6MB

    • MD5

      6c1c6a49edcabab2dafc014937cd388d

    • SHA1

      03fb8fe4ecfb3f3967a6eee4edb1faf2b19c1924

    • SHA256

      998328ecd3a13fd3287f88e37119064b3a4094d2e935786a5327d47e4ed4466b

    • SHA512

      22c1e0cecfa8a7900fef22eeea9b4cd555bb3fef2b681ef464c2a6aac65990ce25acc399c17cbc57df238f26fb4bdb10da829163a78a3713994d95407d4a8b70

    • SSDEEP

      12288:ixEAmDzLDXtfwweWBc6IutzOBk+uynC6h/kUBPtKB/KN4+szCuVR32gWYXKP:caLDXtfwwVBPtzEJhBVKI4ZCuPmDYXKP

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • UAC bypass

    • Windows security bypass

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Looks for VirtualBox Guest Additions in registry

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks