General

  • Target

    P0n.1037596.exe

  • Size

    1.4MB

  • Sample

    240922-we4kkssdmj

  • MD5

    779916ce1a42f01bfbd61d9a8590c986

  • SHA1

    1c96e7bc16c39d4d021526accda62dc356cd2425

  • SHA256

    d5ae03977dc29b4ed4736c3f045bb47a670255d47dd189a58b90485ae23417b8

  • SHA512

    f1b084835e3145de0651af493cc2c5ce8fe35bf594193001adf619155221c9101da84021f672935c382b8ad66347648e33ba7e04931c4fd43b6fc07083bfdfc9

  • SSDEEP

    24576:pCdxte/80jYLT3U1jfsWaRvFrVIDbJtWF1WeiWr6dMu6Q:Yw80cTsjkWaRTIPO7ziA66u

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.gizemetiket.com.tr
  • Port:
    21
  • Username:
    pgizemM6
  • Password:
    giz95Ffg

Targets

    • Target

      P0n.1037596.exe

    • Size

      1.4MB

    • MD5

      779916ce1a42f01bfbd61d9a8590c986

    • SHA1

      1c96e7bc16c39d4d021526accda62dc356cd2425

    • SHA256

      d5ae03977dc29b4ed4736c3f045bb47a670255d47dd189a58b90485ae23417b8

    • SHA512

      f1b084835e3145de0651af493cc2c5ce8fe35bf594193001adf619155221c9101da84021f672935c382b8ad66347648e33ba7e04931c4fd43b6fc07083bfdfc9

    • SSDEEP

      24576:pCdxte/80jYLT3U1jfsWaRvFrVIDbJtWF1WeiWr6dMu6Q:Yw80cTsjkWaRTIPO7ziA66u

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks