Overview

overview

10

Static

static

3

SOLICITUD ...TA.exe

windows7-x64

8

SOLICITUD ...TA.exe

windows10-2004-x64

10

mnstring/c...ay.ps1

windows7-x64

3

mnstring/c...ay.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    14102024_1408_14102024_SOLICITUD DE OFERTA.tar

  • Size

    1.1MB

  • Sample

    241014-rftpjstanm

  • MD5

    c43fe5a08eae0c9d692185e57a2d09de

  • SHA1

    b50925b59d11e48a4d5c71410118896f59a729ba

  • SHA256

    b693534f253b9727f0d01581b5911a96c80a381f45c9966686174c4728233812

  • SHA512

    755a7c12739b0c563f0ea259961e089d60c3dc4df10b5b995ab78b84236d473d7691b7c83d920fbeaa698d62d1bc9dde97002712e0f203c89a96b486d640f969

  • SSDEEP

    24576:rdsEoDS6xj8nJMKEkgmnOvDJSy3sfVwzmIl/WHnJ4FYk5Y5:P/QaJMtkg79vsfmzmI5EnJ2i

Score
10/10
agenttesladiscoveryexecutionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.ionos.es
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    luiyis353173

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      SOLICITUD DE OFERTA.exe

    • Size

      1.2MB

    • MD5

      390f59bff9b8ae12634dabde225597a6

    • SHA1

      9f75d22f6a64e93432fc2f4556a346a70f3e766a

    • SHA256

      8b8937667354563a0742b19df2a43b3a780f6990996522ef97c6354e83a07f49

    • SHA512

      b736203f5c08d35df51c4f357d47c163af77b871ec96a58da67405bfb8d5d2c2a4961a0cf8f444d40364c063561f6ececc952da5861c9b5b81bdc91844876f5f

    • SSDEEP

      24576:voqqHmQ2mlKnSKkdyp/aYchYX2LeQObyCNHlJ7CU1GAb1NXou/ys:voZmQ7kSX1YchBNO+IbV1GAZWu/R

    Score
    10/10
    discoveryexecutionagentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      mnstring/countersway.Udm

    • Size

      53KB

    • MD5

      b4b250e23720806841b663f90a1cc150

    • SHA1

      45ddaec0eedc1bf1e81dcf6a5b86c322840df68f

    • SHA256

      13e894aa19ac8ad670e713c83f1f170752d77934c319762ff147af4a4155deba

    • SHA512

      1642ac1ff2ddf5844472c0442408212d084d3c63c2f27af940ec3974dc30eedd44e4ea06db1688482accdcafad2d4b05378d71febb963bd9af7884842e13b911

    • SSDEEP

      1536:yJWko0R1V8LJPqsB+EhKvk0mFBfJs7yC0EWCqE:8Wko0R4LJPqs48KvDmbJsn0EW2

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks