General

  • Target

    68a483736c12d160216072b5d38bd2ae8de6ddd6f384eea7ef1838892b05c6d5

  • Size

    2.0MB

  • Sample

    240921-1aj3lavdpm

  • MD5

    96b27a9b7a5634ee15d24479395d6325

  • SHA1

    4cc78f71e219ec53da1cc5d38c40f5c30069e493

  • SHA256

    68a483736c12d160216072b5d38bd2ae8de6ddd6f384eea7ef1838892b05c6d5

  • SHA512

    c08a863bfbd633f3f3421095855e58d9ebd4efb3015e7775cd8526faaae6c8468ad6e291377744eb83d2b0f708dc24a88bfefecb5cea997be83885c4e75c2690

  • SSDEEP

    24576:ECdxte/80jYLT3U1jfuZPLrAweki81o2UiEAFmOtsXPxU0155cCWjQ:Vw80cTsj2ZPLrA/k/7UiEAFmOG5Uq3z

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.controlfire.com.mx
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    0a4XlE=4t8mz

Targets

    • Target

      68a483736c12d160216072b5d38bd2ae8de6ddd6f384eea7ef1838892b05c6d5

    • Size

      2.0MB

    • MD5

      96b27a9b7a5634ee15d24479395d6325

    • SHA1

      4cc78f71e219ec53da1cc5d38c40f5c30069e493

    • SHA256

      68a483736c12d160216072b5d38bd2ae8de6ddd6f384eea7ef1838892b05c6d5

    • SHA512

      c08a863bfbd633f3f3421095855e58d9ebd4efb3015e7775cd8526faaae6c8468ad6e291377744eb83d2b0f708dc24a88bfefecb5cea997be83885c4e75c2690

    • SSDEEP

      24576:ECdxte/80jYLT3U1jfuZPLrAweki81o2UiEAFmOtsXPxU0155cCWjQ:Vw80cTsj2ZPLrA/k/7UiEAFmOG5Uq3z

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks