General

  • Target

    d7ec8f6f25b81a46e53f3c2a3841bc0eb87f5434e9dcfeb76911a2de7223189e.img

  • Size

    1.5MB

  • Sample

    241021-k6x2bszcpm

  • MD5

    20a560055eb3adc08bdb6212bc7fd4d5

  • SHA1

    20510590f85bd55a138b46c4c3490eca7aa3609b

  • SHA256

    d7ec8f6f25b81a46e53f3c2a3841bc0eb87f5434e9dcfeb76911a2de7223189e

  • SHA512

    0a02f233a33e4aca39426e48e017f975eb1c3e506101a22f2fd0e762beffc40aaf3763a348f91bf5ebdc547c30c40c76714e263bb6e4456dd3ada9dd53904d6c

  • SSDEEP

    24576:Ao8RUr/5+1z5qy4liClnpwWcw0r0ye66RnKUgGEM71KOx5h:Ah+/0qygxlpvAGOsKO

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ro}UWgz#!38E

Targets

    • Target

      d7ec8f6f25b81a46e53f3c2a3841bc0eb87f5434e9dcfeb76911a2de7223189e.img

    • Size

      1.5MB

    • MD5

      20a560055eb3adc08bdb6212bc7fd4d5

    • SHA1

      20510590f85bd55a138b46c4c3490eca7aa3609b

    • SHA256

      d7ec8f6f25b81a46e53f3c2a3841bc0eb87f5434e9dcfeb76911a2de7223189e

    • SHA512

      0a02f233a33e4aca39426e48e017f975eb1c3e506101a22f2fd0e762beffc40aaf3763a348f91bf5ebdc547c30c40c76714e263bb6e4456dd3ada9dd53904d6c

    • SSDEEP

      24576:Ao8RUr/5+1z5qy4liClnpwWcw0r0ye66RnKUgGEM71KOx5h:Ah+/0qygxlpvAGOsKO

    Score
    3/10
    • Target

      out.iso

    • Size

      1.5MB

    • MD5

      20a560055eb3adc08bdb6212bc7fd4d5

    • SHA1

      20510590f85bd55a138b46c4c3490eca7aa3609b

    • SHA256

      d7ec8f6f25b81a46e53f3c2a3841bc0eb87f5434e9dcfeb76911a2de7223189e

    • SHA512

      0a02f233a33e4aca39426e48e017f975eb1c3e506101a22f2fd0e762beffc40aaf3763a348f91bf5ebdc547c30c40c76714e263bb6e4456dd3ada9dd53904d6c

    • SSDEEP

      24576:Ao8RUr/5+1z5qy4liClnpwWcw0r0ye66RnKUgGEM71KOx5h:Ah+/0qygxlpvAGOsKO

    Score
    1/10
    • Target

      Documenti di spedizione.bat

    • Size

      983KB

    • MD5

      c2d72d131fe371481a0cc117bb835f23

    • SHA1

      dd736a4b716d790f1a3b304f265530399e0646aa

    • SHA256

      d5ee11c69acd2903e1d9b6f6b59aabbd66d9a38430fe4a020d48b18707afb9b8

    • SHA512

      79c15f7b54322f2843f203a99605b5cdfd6a0a3fe41bf9265808a266d1c68d099f3fab8354a0d87e53eb673b101ca211a422748c232c725cadb3f4ebf6c9ce39

    • SSDEEP

      24576:co8RUr/5+1z5qy4liClnpwWcw0r0ye66RnKUgGEM71KOx5hw:ch+/0qygxlpvAGOsKOm

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      3f176d1ee13b0d7d6bd92e1c7a0b9bae

    • SHA1

      fe582246792774c2c9dd15639ffa0aca90d6fd0b

    • SHA256

      fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

    • SHA512

      0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

    • SSDEEP

      192:OPtkumJX7zB22kGwfy0mtVgkCPOsX1un:/702k5qpdsXQn

    Score
    3/10
    • Target

      Directdiscourse.Mrk

    • Size

      98KB

    • MD5

      0cdd72dc4c52fc3e3679087a86475ec7

    • SHA1

      086083a90b709250b42c54ed9080ececd5702610

    • SHA256

      97dab1ce75fcd484894e8b9c653ecb4609412adbfd56cf4d352e4f8ed672963a

    • SHA512

      f7a36729504b8d94c188ac80214993f7d780c7431daa2163ca6bd304bfa57dce5160b8aaf7da422e4a53067349d8412ec70685a9bde9c321e9abe93c3ab701ed

    • SSDEEP

      1536:hUL2eODkXBisy4uA2vOqMkkETeiknT0fouNyGZkI67AxzVUT0f3Wz06Vf+:OyeKMB9y4h2SM0nuNnxP6Tg3W1+

    Score
    3/10
    • Target

      Freakouts.mis

    • Size

      428KB

    • MD5

      1ef716deb3ad336e09abc68798eefb78

    • SHA1

      15e56dd29e83d44626e46f219aa1efc8fec6fb73

    • SHA256

      6401066b34d5fd3c9103c01112200e109a78a3dc584b7e55392b7a45020a76b0

    • SHA512

      6bd0842fe87e9c7467249673485392d1a718b84a757be8ab94f4323f5be358c0975a7e5bc4f74af2ef69f5db46ad00dce3dda9bbd20c2a6ce9d364883a40e7f9

    • SSDEEP

      1536:WQqatwb3BquFonZ0MZGDfw/Ams7/cTCDEhqR9:prwTBq1ZPGD4/xsDEh8

    Score
    3/10
    • Target

      Kavalerens188.equ

    • Size

      410KB

    • MD5

      93c85b7e4c86f442491ff2d5f5b3fe0b

    • SHA1

      893ee5dc579da377dce95f9decaf57438f967112

    • SHA256

      7d60978d18793a119bb47b0d702e2d1efae28514eb46e9f96d75bb6fda4ecf99

    • SHA512

      a0d6b52554f688e47986ffa6b3885393f47a5d51895dc40219bdb1c838609755b1a801e446b926b44ab6c2f4b8a05a183d3c6bbf0d16ca84802cb5dbca1581c9

    • SSDEEP

      1536:iKHVhskoaFMrwPuNqw8hbEZ1EvgaKCiIklf3:JHcP9+w8hb8IQ

    Score
    3/10
    • Target

      Overhates.txt

    • Size

      513B

    • MD5

      3a44600b8b24f5cc7ef13b014c5fc8e6

    • SHA1

      dabc64c2788c61476c159bf60e27a0385b761223

    • SHA256

      037ee7216549b3d566f3d53e5801d45adacf332f937fb43bd5a5e3f0df9662a6

    • SHA512

      02985e9f575b10700a6c8fe167db6ebd81e1b8de758dfab47bb01ab7fe568525c17e933aa2db98673e1a43eb3ef63cab6e97d59fe1b1d52e3484737e0d9b4cbe

    Score
    1/10
    • Target

      Subarachnoid/Protaspis.sol

    • Size

      298KB

    • MD5

      eada66a6285325455f7e0780c000cb65

    • SHA1

      125a71abf2adccfe6e4bb3d7bf80cac064f71690

    • SHA256

      d1e27b338c60688975ae1bb239d860e30490a7feb5aeb1df1dad87244dd073ac

    • SHA512

      669ba190147018b4cba35d6cde23d00683e73de0c70b60c1aa03edec2c7cc629da73a7495db05cf4151e100c339c76afd87a3d179fe98045ed38b02a7a478fb1

    • SSDEEP

      768:OFl7dydtg1PEAqjKsB0peIl0LVJmpGgJQZwWmkYvYTDjBlqndyzkEV5ndnGVa76E:hdKCZmTCLm4TyycJrcYKLdL59NBGa

    Score
    3/10
    • Target

      Subarachnoid/barbecue.ste

    • Size

      295KB

    • MD5

      43eb990b1be1b4570969a310174d319f

    • SHA1

      beae29db714c0576f1ba9256e64f1a0a015b3e84

    • SHA256

      6884cda80715f73c9d9aa9ad45b9bde3d9965d2009270ba685b30dd21421c04d

    • SHA512

      c0fbe88619a7bc3bb8f6cbc8b77b4c1e21a2afb8a92b1df4324c20980c5cf6362cb75b7d065391437147ba746a933ebbd51167e4df2b94477298a87331e15c75

    • SSDEEP

      768:+0WlDZ0cyMp2n0GbzqUGvbn/eHiEmNAXxM4cCQHkR1WuFkHnvVG26UZRR15NykM4:b0/vvkPqdcKMyJAnrZpdZ

    Score
    3/10
    • Target

      Subarachnoid/paradiset.cho

    • Size

      389KB

    • MD5

      34495288f83eb902ac00567354e11253

    • SHA1

      f421e0a307361c05a9534639d2b3a446f4673baf

    • SHA256

      f917e97748dee607abcc405fa70d7614b2f96675914b64ae7fd6ac299bcf220b

    • SHA512

      e2de646c75526dda1b22aebff7b7991dec89d351012fa21d925046ef5dd78abd2d999acaae7c8ba33747480d3c921cdab05d98839af3a552063070a3b4c48496

    • SSDEEP

      1536:qIRuZM0E+SCsypSaDWDKQreAN/Ge8+QM8+cj4WHOlXtZ:pRuPs3DKYc5+QM1KW

    Score
    3/10
    • Target

      Subarachnoid/saddleback.jer

    • Size

      236KB

    • MD5

      fb3375e7cb0698df507062161a26885f

    • SHA1

      5e98c5e6f50a1b57b1e72b412d9632603ff954ef

    • SHA256

      eb781b87f06cbbb43e36413f70a97528dff827a3da9575e56142324f9cf43477

    • SHA512

      949fb9f863eb2ec85b84c4db3e4ea023f1c3fc09cb79fe52b58569c616fc28f2e0d095db535c3b80ef44ce4f75ea4752313f4f20a3e3a61e49163fce8078b79b

    • SSDEEP

      768:kn4C0nabowYKKucVjMHtvH3Eq1Zg5c+0o4u1uLlOxRuYP9aVsVL/e3ec6Axhe7rO:zAzhHNuZla85OxXCm

    Score
    3/10
    • Target

      distortionless.Ska

    • Size

      378KB

    • MD5

      85fc6cabf335ce81cbae00b602a9eeb1

    • SHA1

      abe79a178fcff6f54785bf739b5b3da2c5ddd335

    • SHA256

      0fe88c31b5927ff5d298b958b8249f73932cd0626be40bc4f0c53e4c1fee194b

    • SHA512

      2e9b68c198e5a0d2ba42013fcb1ee49c3378916383ee6709e7d4e8cff072d3778597bb0c89aca44bf9a8551b8d5d92e7bb5ece6d771710cba7e1bc319a5a3d99

    • SSDEEP

      6144:DKJqy+wdTormUTsLnezqBg7Eg/XicZi0Ikufi+k:DryBdETsLezqAXiUi+

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

Score
3/10

behavioral2

Score
3/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

agenttesladiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral6

agenttesladiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

Score
3/10

behavioral11

discovery
Score
3/10

behavioral12

Score
3/10

behavioral13

discovery
Score
3/10

behavioral14

Score
3/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

discovery
Score
3/10

behavioral18

Score
3/10

behavioral19

discovery
Score
3/10

behavioral20

Score
3/10

behavioral21

discovery
Score
3/10

behavioral22

Score
3/10

behavioral23

discovery
Score
3/10

behavioral24

Score
3/10

behavioral25

discovery
Score
3/10

behavioral26

Score
3/10