General

  • Target

    72c145dca14edd2096019fe961f0eca46924aafd648e1b3895c8f69c64ff24faN

  • Size

    683KB

  • Sample

    240921-nlmlmszfnk

  • MD5

    196d72a941517ca4a63fcf1c71af4f20

  • SHA1

    ef3d42e6566313cee4f3696c614bf72029cf3faa

  • SHA256

    72c145dca14edd2096019fe961f0eca46924aafd648e1b3895c8f69c64ff24fa

  • SHA512

    266ee1a72c1f0e317497d6b58dc38b215cd488b49f4e6bc81749b64320633ce707d5d8c641637c372a25cd16b74312967c02999fe07d3c0a1400a47b171adf66

  • SSDEEP

    12288:+e8CgCTxI3lavjshPwfcmLdVssLr/UJdEUr4cugQkWlSquEIvwmEjTAVGWkR:/5IIrsPws+6BugFWlSqnIvIAVGN

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.controlfire.com.mx
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    0a4XlE=4t8mz

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.controlfire.com.mx
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    0a4XlE=4t8mz

Targets

    • Target

      72c145dca14edd2096019fe961f0eca46924aafd648e1b3895c8f69c64ff24faN

    • Size

      683KB

    • MD5

      196d72a941517ca4a63fcf1c71af4f20

    • SHA1

      ef3d42e6566313cee4f3696c614bf72029cf3faa

    • SHA256

      72c145dca14edd2096019fe961f0eca46924aafd648e1b3895c8f69c64ff24fa

    • SHA512

      266ee1a72c1f0e317497d6b58dc38b215cd488b49f4e6bc81749b64320633ce707d5d8c641637c372a25cd16b74312967c02999fe07d3c0a1400a47b171adf66

    • SSDEEP

      12288:+e8CgCTxI3lavjshPwfcmLdVssLr/UJdEUr4cugQkWlSquEIvwmEjTAVGWkR:/5IIrsPws+6BugFWlSqnIvIAVGN

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks