Overview

overview

10

Static

static

3

Shipping d...99.exe

windows7-x64

7

Shipping d...99.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    022a85c091754185d0b3ec02282d9e64832cc9c4cc42be3dde3d35ed1b82e72c.img

  • Size

    1.2MB

  • Sample

    240926-betp6a1cqf

  • MD5

    0e16b40c80e0d8ce33fdacd0c7432db6

  • SHA1

    79c1b813709eec6795d6635367809712857516b3

  • SHA256

    022a85c091754185d0b3ec02282d9e64832cc9c4cc42be3dde3d35ed1b82e72c

  • SHA512

    f87e26403663c990a7aa0f8ba57b76ab314c987a9ef911130f77e4d420ab5ddb8801d85cffc85c6e79843ef4a3e115773b17cdab741114860bde38a7a1637641

  • SSDEEP

    24576:rfLNnSs8r4yDGOE6X12De6mF3XF4i7XPP:Ts4yDm6MuF3fTPP

Score
10/10
agentteslaguloaderdiscoverydownloaderexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ro}UWgz#!38E

Targets

    • Target

      Shipping documents 000022999878999800009999.exe

    • Size

      712KB

    • MD5

      4ecafa8f623606caf0a925f5c6b2eb10

    • SHA1

      59cb79183b9547b3915c8aa09ed904f84bcab22c

    • SHA256

      3fe8f843e696c1dacbdcabed38d7132776915d89b60ac10c68fda048cbfe044f

    • SHA512

      d1dc9a1af2fdf373893a99f16a6cbe7cf0f5c9c3b77936c8535ad0bba226542c132f562b30551d9c10ee2ef249160e8af85867ed3b2601198709d0e977a26323

    • SSDEEP

      12288:ffLdembnSidCbvZROJ9cDGUugE6X12xKSl1a3qmFLgoXFDsiJjWlWVB0mPH4V:ffLNnSs8r4yDGOE6X12De6mF3XF4i7X2

    Score
    10/10
    discoveryexecutionagentteslaguloaderdownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      7KB

    • MD5

      b4579bc396ace8cafd9e825ff63fe244

    • SHA1

      32a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c

    • SHA256

      01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b

    • SHA512

      3a76e0e259a0ca12275fed922ce6e01bdfd9e33ba85973e80101b8025ef9243f5e32461a113bbcc6aa75e40894bb5d3a42d6b21045517b6b3cf12d76b4cfa36a

    • SSDEEP

      96:JwzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuH0DQ:JTQHDb2vSuOc41ZfUNQZGdHM

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks