General

  • Target

    59b03fee31c5c62caac3b05827d210553ce84a6e7c5ae43cb7d34f8242d9bae6.exe

  • Size

    979KB

  • Sample

    241112-cvkmvssfrj

  • MD5

    411ad554068219f2ed0ce5e74f02d542

  • SHA1

    917cc7780771e518c544338e24204471c54ec5fa

  • SHA256

    59b03fee31c5c62caac3b05827d210553ce84a6e7c5ae43cb7d34f8242d9bae6

  • SHA512

    6dbd1cffd8e580bb8737e00e6c85a63d8092edb2db2028d671241fc1223e58d254a13adfe1ee05574a98be8ec471566bba7d73e2d73d30ba1805d35615c3e090

  • SSDEEP

    24576:i/Vwqfj3y6EQ4Dsv+G/9nRn0fyVPiDrNEtEBkvUEZmWwH+EP0R/tF25taZScLvci:0Vwqfj3y6EQ4Dsv+G/910fyVPiDrNEt1

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ro}UWgz#!38E

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ro}UWgz#!38E

Targets

    • Target

      59b03fee31c5c62caac3b05827d210553ce84a6e7c5ae43cb7d34f8242d9bae6.exe

    • Size

      979KB

    • MD5

      411ad554068219f2ed0ce5e74f02d542

    • SHA1

      917cc7780771e518c544338e24204471c54ec5fa

    • SHA256

      59b03fee31c5c62caac3b05827d210553ce84a6e7c5ae43cb7d34f8242d9bae6

    • SHA512

      6dbd1cffd8e580bb8737e00e6c85a63d8092edb2db2028d671241fc1223e58d254a13adfe1ee05574a98be8ec471566bba7d73e2d73d30ba1805d35615c3e090

    • SSDEEP

      24576:i/Vwqfj3y6EQ4Dsv+G/9nRn0fyVPiDrNEtEBkvUEZmWwH+EP0R/tF25taZScLvci:0Vwqfj3y6EQ4Dsv+G/910fyVPiDrNEt1

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Blocklisted process makes network request

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      Overkeenly.Aut

    • Size

      55KB

    • MD5

      e1aaf4db5b49f5077aa39b8e8ca91243

    • SHA1

      f1d68c2d223d1112f80b798a131da9e91c826bce

    • SHA256

      76a1f9a4593917cdb08c30b9a444a43a7100fb1332aab4d7a4e335819eeeae55

    • SHA512

      80d95f4062e06d0706c070b1071d9ba8ca3fa824532dbd3978cd95405502d48cf81dd2e5c6c329a90ebe8793e2065f22cb5502c510076ca626f6e92f0ba8608a

    • SSDEEP

      1536:EBuR7slSxKxB6bwQZdh+1vnpTWOogw5C2YwBLNHh:EBuRoiKx0bvdsllCDBL/

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks