General
-
Target
Shipping Documents.img
-
Size
1.6MB
-
Sample
241018-j6b87awfka
-
MD5
ca6daf7da6cc2d194bc1c2085ef4daa4
-
SHA1
8732983eda644aab77955fcc6efdafe774c98d62
-
SHA256
824651a985e34ad31a02aa31226883fe396f30cdd491f1da1453c5c79dae95fb
-
SHA512
19900c1a93de2c2f5bceb43668eaf0a57cf4bedcbb6412c31b1178a71dc9622560e05fd10f81944e5135b1ed6e7fd55665e6901d8ce31c938b14188ad7cfe171
-
SSDEEP
12288:c4OpVuMv6/eGOFqi0isX8G2WJHkQ50g/s2QkPICHYA1U+Iau:xg/0yqiwv0f2SCHYAC+I
Static task
static1
Behavioral task
behavioral1
Sample
Shipping Documents.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Shipping Documents.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.concaribe.com - Port:
21 - Username:
[email protected] - Password:
ro}UWgz#!38E
Targets
-
-
Target
Shipping Documents.bat
-
Size
1016KB
-
MD5
d6d14fc73f7e485b864a1dc1d8fde8f9
-
SHA1
85a6480abc0f54dafff5e4bc2b996e7655f91b2b
-
SHA256
fff67160a40353338a0eb9ee2acb6cd15de640023ef8a819d6595ef34493757b
-
SHA512
00a35cbb44902a58349995ac90800a935df7d28e5e81f3fbd786375be29d7b8dbfb974849046590c0f98702c6f21dbca7a40b5130aca80d84a9c44ee0374061c
-
SSDEEP
12288:m4OpVuMv6/eGOFqi0isX8G2WJHkQ50g/s2QkPICHYA1U+IauB:/g/0yqiwv0f2SCHYAC+I9
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae
-
SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b
-
SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
-
SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6
-
SSDEEP
192:OPtkumJX7zB22kGwfy0mtVgkCPOsX1un:/702k5qpdsXQn
Score3/10 -
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1