General

  • Target

    336f0150fdcd079305bc991b95fed2791fbe7c9298b915191ffc5b525c0e2b27

  • Size

    676KB

  • Sample

    241122-brd58sxmfl

  • MD5

    7e188ffbaed4c494d519de1bc9facd90

  • SHA1

    5676b0d48b0acd68ba5f5bdc354a8f898fc54ba7

  • SHA256

    336f0150fdcd079305bc991b95fed2791fbe7c9298b915191ffc5b525c0e2b27

  • SHA512

    ba4c115ad903486ee58785f78806d0ff5a287792debb38fc588f06d131dbc31a550a3b5d8fe004c6a9e24577b93243fb6879d4bea18ca100ae1606b8c16bc477

  • SSDEEP

    12288:eGfF0YB8c08pH+2SjmtLiJQEv0MPbExERXyn37JPSS3LYNini:eM7F82EC4Qq0+ExERXyLImUii

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.solucionesmexico.mx
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    dGG^ZYIxX5!B

Targets

    • Target

      packing list l kyritsis.PDF.exe

    • Size

      961KB

    • MD5

      9b5fd736ccb7d5e254de6cc4f5af7524

    • SHA1

      faa2846f9580383ae9800357aba29d270cb5e129

    • SHA256

      fcfbff5d4ca24328d97ee24d502bbf08d838ccfe5e52bb9dcfe4bdda976eede2

    • SHA512

      e0a1b51638cabf51d34f8b2018df71b22108e3cfb6754a63286750048f13fe9cdae972c77fa28df26533309939aa7044586637b7c053b3c6f67be5964612decd

    • SSDEEP

      24576:gtOrPOz+EzxWSsmSZCec/pkoqTe2z7ndB:Yz+iWSEZCZ/vy7nj

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks