General

  • Target

    bbbd6bfbe450ece3fcf332a34b08b4e4f8a76abacfe90a5584d1d7d8efd46e89.exe

  • Size

    1.2MB

  • Sample

    241026-c18a4sybrd

  • MD5

    b243ee2523754c9679c17922b4ed95c0

  • SHA1

    c1bca2963c6ea45a665606707ed1b53b1b399b46

  • SHA256

    bbbd6bfbe450ece3fcf332a34b08b4e4f8a76abacfe90a5584d1d7d8efd46e89

  • SHA512

    926512030bf1ce8af3efc24d28729eb212be724f0ae2364d8aa1a6677e4dd653b0702210f604efc923b83c7329dc51aa7c85b581f2b4f4762f499de80ffea60f

  • SSDEEP

    24576:ffmMv6Ckr7Mny5QLrVBtUBLT8xfed8VHuWNZb:f3v+7/5QLrrtwufedKHXvb

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.haliza.com.my
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    JesusChrist007$

Targets

    • Target

      bbbd6bfbe450ece3fcf332a34b08b4e4f8a76abacfe90a5584d1d7d8efd46e89.exe

    • Size

      1.2MB

    • MD5

      b243ee2523754c9679c17922b4ed95c0

    • SHA1

      c1bca2963c6ea45a665606707ed1b53b1b399b46

    • SHA256

      bbbd6bfbe450ece3fcf332a34b08b4e4f8a76abacfe90a5584d1d7d8efd46e89

    • SHA512

      926512030bf1ce8af3efc24d28729eb212be724f0ae2364d8aa1a6677e4dd653b0702210f604efc923b83c7329dc51aa7c85b581f2b4f4762f499de80ffea60f

    • SSDEEP

      24576:ffmMv6Ckr7Mny5QLrVBtUBLT8xfed8VHuWNZb:f3v+7/5QLrrtwufedKHXvb

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks