General

  • Target

    d7ec8f6f25b81a46e53f3c2a3841bc0eb87f5434e9dcfeb76911a2de7223189e.img

  • Size

    1.5MB

  • Sample

    241021-k82gjaxhph

  • MD5

    20a560055eb3adc08bdb6212bc7fd4d5

  • SHA1

    20510590f85bd55a138b46c4c3490eca7aa3609b

  • SHA256

    d7ec8f6f25b81a46e53f3c2a3841bc0eb87f5434e9dcfeb76911a2de7223189e

  • SHA512

    0a02f233a33e4aca39426e48e017f975eb1c3e506101a22f2fd0e762beffc40aaf3763a348f91bf5ebdc547c30c40c76714e263bb6e4456dd3ada9dd53904d6c

  • SSDEEP

    24576:Ao8RUr/5+1z5qy4liClnpwWcw0r0ye66RnKUgGEM71KOx5h:Ah+/0qygxlpvAGOsKO

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ro}UWgz#!38E

Targets

    • Target

      Documenti di spedizione.bat

    • Size

      983KB

    • MD5

      c2d72d131fe371481a0cc117bb835f23

    • SHA1

      dd736a4b716d790f1a3b304f265530399e0646aa

    • SHA256

      d5ee11c69acd2903e1d9b6f6b59aabbd66d9a38430fe4a020d48b18707afb9b8

    • SHA512

      79c15f7b54322f2843f203a99605b5cdfd6a0a3fe41bf9265808a266d1c68d099f3fab8354a0d87e53eb673b101ca211a422748c232c725cadb3f4ebf6c9ce39

    • SSDEEP

      24576:co8RUr/5+1z5qy4liClnpwWcw0r0ye66RnKUgGEM71KOx5hw:ch+/0qygxlpvAGOsKOm

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      3f176d1ee13b0d7d6bd92e1c7a0b9bae

    • SHA1

      fe582246792774c2c9dd15639ffa0aca90d6fd0b

    • SHA256

      fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

    • SHA512

      0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

    • SSDEEP

      192:OPtkumJX7zB22kGwfy0mtVgkCPOsX1un:/702k5qpdsXQn

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks