General

  • Target

    Shipping_Document.gz

  • Size

    269KB

  • Sample

    241121-t5z9qstmcv

  • MD5

    60c2a5a98e22e0af687412c587a587c8

  • SHA1

    e90a2aac0bf8023ebd4ce15bf5228f1d85787e1e

  • SHA256

    0c60371abbee8b8492c2a1fb853ab09633f35ee4026afa1e08474279cf3e1214

  • SHA512

    061f66eb37166b2dc1d7b962c953f6a6cf7ca5323f71dea787e0e25fbcea56e3fa5c4dc3bb1146a16094064775dac5e4f41a23f6bcb82b4c482b1bdffa2ebbc9

  • SSDEEP

    6144:oSoBSfeyMGc7qhfC0KrlVz99LyCOHqtmfWzNIkvKoNmJxmqa2QUSQVxPn8cly:olBAfcO0hlVz3WC5tmOz/vKolqQPsBNy

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ro}UWgz#!38E

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ro}UWgz#!38E

Targets

    • Target

      Shipping documents 0000933349450065096000.exe

    • Size

      284KB

    • MD5

      10cc03882e85151ad4ca3db541f81cf3

    • SHA1

      be6b86b006b887fdc5abee6e64a25b5f237445a0

    • SHA256

      f2da88c88866585358047c6e08c8fd9c01178c3c8ec61345180d8335c68f3bb7

    • SHA512

      6cdce4f6a27b565d938adfeb59dbc8e9e3e2ed02d86281f62ce7de82febe71c45520bf13ce1834c9662fbf13880ff714227635399c6dce1bc43048852b2abc18

    • SSDEEP

      6144:UYRl7vMcPxo+C0Kl9D7k0UjHCHjQ9mHHa1gNC33FLkvKoNGJxmEa2QUkeS/op+:T4cY1DRUeHjomHHGgN7vKopwQReS/v

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks