General

  • Target

    14112024_1558_14112024_Swift Copy 000293940040005959500000599505000.img

  • Size

    1.2MB

  • Sample

    241114-tetdha1emm

  • MD5

    d0108c8fa97e0ebe194ca5fefd55eca8

  • SHA1

    5080124a892fcf4b4f072f1cb2934521e33e8163

  • SHA256

    01a4cf89055859c2fe281fff1634b8450f7e066b5ea9b9787a4fa904a61f0c27

  • SHA512

    8df74198079f8b5cb7be59a9d100c098f9764f23baecd485d8553f7d528a95dbe220d9f24dc80e8fbebf847206bc9305f4aa9239d4ffba521e142a1fc0f48e42

  • SSDEEP

    6144:ZV13JYAlkOFRH3D4i/awYYsQ2Ucu4zvgwgp2fdpWYvjEWjTj6F1gZ4sk:ZjmAvMVYs35/3CMpWov+J

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ro}UWgz#!38E

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ro}UWgz#!38E

Targets

    • Target

      Swift Copy 000293940040005959500000599505000.exe

    • Size

      385KB

    • MD5

      be9db428810324405b74f69d0c33b532

    • SHA1

      4eae2c3c5793ac8b407a648db3434833d9877e4f

    • SHA256

      cb91f601dfceef4ca12ce24f80ac1e55ab5fc5cc8dcfacefa02120241d429ae6

    • SHA512

      ad02acbf7093bde2e36676670e3ff99562d88a3f8fa6f30bde6d7f0a43d888e5a1ff7d9a359dbbac7a60387bdde0dbecfe73f65a7c5817cb51f7bcc3aa81d0ad

    • SSDEEP

      6144:oV13JYAlkOFRH3D4i/awYYsQ2Ucu4zvgwgp2fdpWYvjEWjTj6F1gZ4sk:ojmAvMVYs35/3CMpWov+J

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks