General

  • Target

    Confirmación de pago.tgz

  • Size

    1.4MB

  • Sample

    240916-kysrmsygqb

  • MD5

    f7455f462dcaa58e46ceb606d51a3b96

  • SHA1

    c29da0495d6c998caba875acb0cae66c94900e9a

  • SHA256

    aee487cfb44d63408f984764a1a3ffafbe6986db198a66d90c1ac97c389d95ff

  • SHA512

    46fcfd6b3a2f001765c9d542c0bae106c8f4714a28d36309667ed543f32bcddb941d9aa020f18c2015687265475556cdd62b1943d9d625796f55bf4fca0654f5

  • SSDEEP

    12288:+1W3nUQNUVFWaMCe+ej65u1P2t8QTW6Ptywb7+aH6hq5V:ReFWYRw1PAvPcwb7fee

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7000875199:AAGcJDBHFcfVUBvhBO4xZLw34OXk1NWXSe0/

Targets

    • Target

      Confirmación de pago.tgz

    • Size

      1.4MB

    • MD5

      f7455f462dcaa58e46ceb606d51a3b96

    • SHA1

      c29da0495d6c998caba875acb0cae66c94900e9a

    • SHA256

      aee487cfb44d63408f984764a1a3ffafbe6986db198a66d90c1ac97c389d95ff

    • SHA512

      46fcfd6b3a2f001765c9d542c0bae106c8f4714a28d36309667ed543f32bcddb941d9aa020f18c2015687265475556cdd62b1943d9d625796f55bf4fca0654f5

    • SSDEEP

      12288:+1W3nUQNUVFWaMCe+ej65u1P2t8QTW6Ptywb7+aH6hq5V:ReFWYRw1PAvPcwb7fee

    Score
    3/10
    • Target

      sample

    • Size

      810.6MB

    • MD5

      7fe98a6e5f0d17baeac7e42c3723d128

    • SHA1

      27bb29e7b919df8f9f9e39a5048d262b7ea6c2c5

    • SHA256

      3a1905a02d95a95fe9ffa32e967794f30cb67ffbf58f3157d2a900d0e939ec51

    • SHA512

      957d6ce70f9a9167b38fa89fc73c004fd0a5b5475719338e071da5a74b2fa639a3c4ee006348b206747b96364952b987fbe2190fdf5911f2d5cbd03096a99320

    • SSDEEP

      12288:Cti6NGb1oa6i42ez6fu1P+t8UTWibJEw5roaH6NqC:z1oY/21PITbOw5rZS

    Score
    3/10
    • Target

      Confirmación de pago.exe

    • Size

      810.6MB

    • MD5

      55f21afea211a393b016c037db0dee43

    • SHA1

      e0772dccb1f17d89f122876b148488530b693af6

    • SHA256

      99c708fb16999955b141f531644e954ba7e12453af9e11e968d3b9d0bcaed268

    • SHA512

      a44e5a7086e60ca1c9bbbf1b44e010747c38a3153418b95dd1e6f00af9b57b1c9071d6124ef66613a056bc951f6395a919fdaec0a4735c443a2bf834ee4b9429

    • SSDEEP

      12288:kti6NGb1oa6i42ez6fu1P+t8UTWibJEw5roaH6NqC:V1oY/21PITbOw5rZS

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks