General

  • Target

    fa54825b8b94917037cc1620eb21421f9bd31ac394f396c1fe80546e4ed88dfa.hta

  • Size

    178KB

  • Sample

    241121-kv8npazfkd

  • MD5

    01928c833c9940a6896666a9d93b9670

  • SHA1

    abe22dd055a6fa39c615cf72818e474f2525e7ae

  • SHA256

    fa54825b8b94917037cc1620eb21421f9bd31ac394f396c1fe80546e4ed88dfa

  • SHA512

    e34bc23996ab1ec12117e463f8b8ec5b4e880635d435286d3e4d09c8499c044dd2f92d8c2927e1435287691ae14dc1e1f7331c2aeae103ca9ac56022b9d883e0

  • SSDEEP

    48:4vahW5oZz7eWLB2CCz7lRo7dmz7lOwo7dO81bBPW1zKfD299Ddaq6bWyxf9DZRDf:4vCl17nuYMiFeAqfoqyWyflRJm0cfQ

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.elquijotebanquetes.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    4r@d15PS!-!h

Targets

    • Target

      fa54825b8b94917037cc1620eb21421f9bd31ac394f396c1fe80546e4ed88dfa.hta

    • Size

      178KB

    • MD5

      01928c833c9940a6896666a9d93b9670

    • SHA1

      abe22dd055a6fa39c615cf72818e474f2525e7ae

    • SHA256

      fa54825b8b94917037cc1620eb21421f9bd31ac394f396c1fe80546e4ed88dfa

    • SHA512

      e34bc23996ab1ec12117e463f8b8ec5b4e880635d435286d3e4d09c8499c044dd2f92d8c2927e1435287691ae14dc1e1f7331c2aeae103ca9ac56022b9d883e0

    • SSDEEP

      48:4vahW5oZz7eWLB2CCz7lRo7dmz7lOwo7dO81bBPW1zKfD299Ddaq6bWyxf9DZRDf:4vCl17nuYMiFeAqfoqyWyflRJm0cfQ

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Evasion via Device Credential Deployment

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks