General

  • Target

    Nakliye belgeleri.exe

  • Size

    1.1MB

  • Sample

    241206-h4wdlssjcp

  • MD5

    620924d9a2e90d34b060c7e210785926

  • SHA1

    736ce2fe105049ed45e90e5bd9d83086a6006c32

  • SHA256

    014f4753734a62111955ca64721aa64a4b6d98b36e5a3bd9a4da5afc128b2f17

  • SHA512

    d9b73f6d65eb4aabf05e96e06c864a68d921c627eca178cba573a46a1818f00d6934ce794eb1bcedccc2fbaef83ae2270eb9583217705293860450ef25a41912

  • SSDEEP

    12288:pl/4qNMmw1GYDmImQgThNj/yMf5ck8WMvwvKIcrIPdEBEo7vPmXaNgI+pMeVOqIt:rM05NjKiclwSIU04Eb1MncwaF0C9Wn

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ro}UWgz#!38E

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ro}UWgz#!38E

Targets

    • Target

      Nakliye belgeleri.exe

    • Size

      1.1MB

    • MD5

      620924d9a2e90d34b060c7e210785926

    • SHA1

      736ce2fe105049ed45e90e5bd9d83086a6006c32

    • SHA256

      014f4753734a62111955ca64721aa64a4b6d98b36e5a3bd9a4da5afc128b2f17

    • SHA512

      d9b73f6d65eb4aabf05e96e06c864a68d921c627eca178cba573a46a1818f00d6934ce794eb1bcedccc2fbaef83ae2270eb9583217705293860450ef25a41912

    • SSDEEP

      12288:pl/4qNMmw1GYDmImQgThNj/yMf5ck8WMvwvKIcrIPdEBEo7vPmXaNgI+pMeVOqIt:rM05NjKiclwSIU04Eb1MncwaF0C9Wn

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Guloader family

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      fc90dfb694d0e17b013d6f818bce41b0

    • SHA1

      3243969886d640af3bfa442728b9f0dff9d5f5b0

    • SHA256

      7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528

    • SHA512

      324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6

    • SSDEEP

      192:e/b2HS5ih/7i00eWz9T7PH6yeFcQMI5+Vw+EXWZ77dslFZk:ewSUmWw9T7MmnI5+/F7Kdk

    Score
    3/10
    • Target

      hypohydrochloria.app

    • Size

      487KB

    • MD5

      271b95b44bbafaf5d68ae0d972e1163a

    • SHA1

      6816bd06b9b638de8e6517dfe7647ce409f2f4c8

    • SHA256

      60412767f4eaea33f06a6a02f3b0975015e75f251ba6cbeee96ac712d0b23f9b

    • SHA512

      cb7a65001cc0dbb63cddcd89166b575bd2612f75100ca47ff8a8162825a5c91a5c2b60b83447f33a7aad1c0f1a7eee4c5f340e5d66141ee59309b59ca461d992

    • SSDEEP

      1536:vGAVO3tWkduBR8240f+rzESOotNlufM+A/:nYQSA6AMIk+A/

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks