General

  • Target

    86c0e8c71fe53ff1ee1ac2a494c208392b9f4128f85552e69105e8fa19724f63.exe

  • Size

    801KB

  • Sample

    240922-jr5l7aygpg

  • MD5

    f7407d909a701a85f0aec9c898ebed35

  • SHA1

    19fb4fbbc9e1f1e279b9f046e0667287cef40951

  • SHA256

    86c0e8c71fe53ff1ee1ac2a494c208392b9f4128f85552e69105e8fa19724f63

  • SHA512

    3d6b55c42e8309a059a923560ef7838c13385c4680c467669b9900dce55fd31827aa0490964649768b80f891ab4e6e26f45a4455ff92d64cbf8d9fe065a9fd91

  • SSDEEP

    12288:v6Wq4aaE6KwyF5L0Y2D1PqLRpZnECRwtmO64RPFG3lAr9T7IrqmK+2tZb1XswHTt:tthEVaPqL1l/O641F5TYKlZpXRTBDyO9

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.elquijotebanquetes.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    -GN,s*KH{VEhPmo)+f

Targets

    • Target

      86c0e8c71fe53ff1ee1ac2a494c208392b9f4128f85552e69105e8fa19724f63.exe

    • Size

      801KB

    • MD5

      f7407d909a701a85f0aec9c898ebed35

    • SHA1

      19fb4fbbc9e1f1e279b9f046e0667287cef40951

    • SHA256

      86c0e8c71fe53ff1ee1ac2a494c208392b9f4128f85552e69105e8fa19724f63

    • SHA512

      3d6b55c42e8309a059a923560ef7838c13385c4680c467669b9900dce55fd31827aa0490964649768b80f891ab4e6e26f45a4455ff92d64cbf8d9fe065a9fd91

    • SSDEEP

      12288:v6Wq4aaE6KwyF5L0Y2D1PqLRpZnECRwtmO64RPFG3lAr9T7IrqmK+2tZb1XswHTt:tthEVaPqL1l/O641F5TYKlZpXRTBDyO9

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks