General

  • Target

    ASW-SHIPPING CLEARANCE DOCUMENT 0382--0000.zip

  • Size

    608KB

  • Sample

    240917-mjt29sybml

  • MD5

    ff89831bf113c32c7858762368acacd7

  • SHA1

    2bb209239a49b87446031615c506f15536b943ca

  • SHA256

    5d7293f1f8e8d76a408661a257f3e7b0353b347ab18e676982b6db47af7cf134

  • SHA512

    7059fe7d1e0efcd48de7828cea8c59586e96884f35db561765d4de829a4746f6c3650c4493cc61713b49f471101c0f268ad9e40b6f85dc3ce936b671b63e4f9a

  • SSDEEP

    12288:Mq2YyLytxM05prVsKqHfXNZWezrGLfdncyJA1DSaKW9Fi3sIiUHltgvXDTaX:MbxqzQvvrGLhc/DSa39Fi3JHltgvTT4

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.fosna.net
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    u;4z3V.Iir1l

Targets

    • Target

      ASW.exe

    • Size

      2.3MB

    • MD5

      634121b2af66dd5433c1155702abc84c

    • SHA1

      f3fd2a1800c4272bdf8209ff47e3703a4923e699

    • SHA256

      499df614b640e6e6531f32ceb3271d7d661f5256d49f57e9d360a4791d37943f

    • SHA512

      60786abdb281fe3f4fc4e242434fb280271684f13b683dc9cd32ac1a6e29ba496cea2c22ee1a82fa9dd6896f6530e9a0c07e2245ee35fc6100f7d684623bc805

    • SSDEEP

      12288:tuEAmDY2kyLG/XModp1HmKwHfX7ZWezHiLfdHcWJWnVMaKo9Nip2IiUlbtgfXD70:cM9y3QvpHiLFcVVMaP9Nip7lbtgfT70

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • UAC bypass

    • Windows security bypass

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Looks for VirtualBox Guest Additions in registry

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks