General

  • Target

    aad392980897cef80774e04b02996bf378542a67334014b21ff4b8292589c7a7.rar

  • Size

    621KB

  • Sample

    241122-deqplssrgz

  • MD5

    183a1907825bb47461f5b3e376993de3

  • SHA1

    c12773b91deb6a88441d9921da29c47a5af7c9be

  • SHA256

    aad392980897cef80774e04b02996bf378542a67334014b21ff4b8292589c7a7

  • SHA512

    a56343b24b4800029beac8e17f59d4366a9398e1efb718347e84a6e6901be0d1bdd1f371614400029c0fa0acc0a1d93b081f143469e84c9f5cf72ae780d372ce

  • SSDEEP

    12288:QN4W/lWBryO0IqoVsOT8reCqAx1jHWOXL3W4CPuUFwozKYiZn/aVWjk+JP:QNJ/mrmIqqsfr5iOb3pMBe/kCP

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://cash4cars.nz
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    -[([pqM~nGA4

Targets

    • Target

      vessel details_pdf.exe

    • Size

      653KB

    • MD5

      296a91d852273bd8f8ea784f814e8e54

    • SHA1

      47a5391f798e645c075a074a7cddfab468e449d5

    • SHA256

      bdf6c1caee139afdf9122554e47a2b1f56dd5598447dced5cf81cafac1dfb7a0

    • SHA512

      0b801c4a4abdff47d84138600eb9db78d68591a12332e2abf00fe0da3b53e51c415a157aae9934bce63ff6ad1c6e7bb8adebcb1bfa12b91f40ec374ce53bd1a6

    • SSDEEP

      12288:W1Bo7KvAGZ2/IwuiwQ6CTCPuNCgHt1WH/ctA9upSNtira7Xs:W/o703ZQ5pGPuMgCH/9upTrag

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks