General

  • Target

    PAYMENT 00251,8301,66329.xxe

  • Size

    846KB

  • Sample

    240917-j5yqssshke

  • MD5

    a17a141641b02eaaad941d846db87e4b

  • SHA1

    9da284f060e817a8a85ce6d223d045800dec51c2

  • SHA256

    738a2795ed26727349bbd0dadfbad119c94b04707cd36669252cf3b36dd98636

  • SHA512

    20a33737d645e2857d0d9b6f0fdfe74a252fa2a6dc67236511f40ce828a9a47f8854e5a2f615d8b12456e615c5d5a3409b8b7f6f5cb5bf039c246aef7689c5d5

  • SSDEEP

    24576:2U+Q7KyXetdmVyeltuZV6lPo9YmF9s/DDM5VOBlOhq6KDm:2U19smDQw7mFK/s50Dcq6+m

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.flujoauditorias.cl
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    l;0jGu7J;z_a

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      PAYMENT 00251,8301,66329.bat

    • Size

      77.0MB

    • MD5

      54d5035f6e0651a42081bbf94c992575

    • SHA1

      356a2631c588d5b5bc67999a0c3ea5f9233af4b2

    • SHA256

      dcc7a889e4a2b801932f6389e657c4d3c6c3974af4044801ab68379cc2b600e0

    • SHA512

      f6f3ff19c338b9a7ae00f0b1fc01c9f995a659088ec49bafacb503b4ffe8964eb03795a6cde61dd645a727edac20deabdcf5534ba4b876de74c68bfa9b454a48

    • SSDEEP

      24576:uRmJkcoQricOIQxiZY1iaCOnJQmut27bcalIZhgQAx:7JZoQrbTFZY1iaCOnJButijlIKx

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks