General

  • Target

    c17e06753e71aa66826658cc44f2e620b39d0e52b26d7dc5747ad5966f0ae0a3.exe

  • Size

    664KB

  • Sample

    240925-cxhlaasfkg

  • MD5

    ec1d27d0c50590f58a3d43b8b979e4dc

  • SHA1

    bb6768eec71bd66c50a94b21cdd059994dc264b3

  • SHA256

    c17e06753e71aa66826658cc44f2e620b39d0e52b26d7dc5747ad5966f0ae0a3

  • SHA512

    2bf4090a6bc11e8a5b2055752a51d008aedd7f4dc3483282194b9666f19840ababa805aa18dfccf6d994d46ddf4503e5abed7201556b6388d38af93e6c890aa1

  • SSDEEP

    12288:LhdPAcO4nEOS405ZbvTAuWelX2QqycJGD7uoj6C/e8bQbGsxykR:LvlS405PX2QqRGD7u/ClIGoB

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.libreriagandhi.cl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    x6p2^m#1#~+O

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.libreriagandhi.cl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    x6p2^m#1#~+O

Targets

    • Target

      c17e06753e71aa66826658cc44f2e620b39d0e52b26d7dc5747ad5966f0ae0a3.exe

    • Size

      664KB

    • MD5

      ec1d27d0c50590f58a3d43b8b979e4dc

    • SHA1

      bb6768eec71bd66c50a94b21cdd059994dc264b3

    • SHA256

      c17e06753e71aa66826658cc44f2e620b39d0e52b26d7dc5747ad5966f0ae0a3

    • SHA512

      2bf4090a6bc11e8a5b2055752a51d008aedd7f4dc3483282194b9666f19840ababa805aa18dfccf6d994d46ddf4503e5abed7201556b6388d38af93e6c890aa1

    • SSDEEP

      12288:LhdPAcO4nEOS405ZbvTAuWelX2QqycJGD7uoj6C/e8bQbGsxykR:LvlS405PX2QqRGD7u/ClIGoB

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks