General
-
Target
PO.bat.exe
-
Size
760KB
-
Sample
241216-prrcfs1pan
-
MD5
e66902c532dd0fd4f019200e4599f17c
-
SHA1
6306e266e3d9dcd3671aa81f77bb7502e3ae76ff
-
SHA256
81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478
-
SHA512
bfc0fb98f0921f370e55fc8d9ad8cd79c0280e0de9e6a49fb28cac5eebdf28e6bf14c5f1b94c23405dd387e5495c5f754568b20600ee7fd449a123a14a3b756d
-
SSDEEP
12288:9s6eULcXcekO8cHzf2l4t5musvXsD6En3kV117Dd:MMetHzf2l4KvXgn3kJ7Dd
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.concaribe.com - Port:
21 - Username:
[email protected] - Password:
ro}UWgz#!38E
Targets
-
-
Target
PO.bat.exe
-
Size
760KB
-
MD5
e66902c532dd0fd4f019200e4599f17c
-
SHA1
6306e266e3d9dcd3671aa81f77bb7502e3ae76ff
-
SHA256
81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478
-
SHA512
bfc0fb98f0921f370e55fc8d9ad8cd79c0280e0de9e6a49fb28cac5eebdf28e6bf14c5f1b94c23405dd387e5495c5f754568b20600ee7fd449a123a14a3b756d
-
SSDEEP
12288:9s6eULcXcekO8cHzf2l4t5musvXsD6En3kV117Dd:MMetHzf2l4KvXgn3kJ7Dd
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/LangDLL.dll
-
Size
5KB
-
MD5
174708997758321cf926b69318c6c3f5
-
SHA1
645488089bf320f6864e0d0bc284c85216e56fbd
-
SHA256
f577b66492e97c7b8bf515398d8deb745abafd74f56fc03e67fce248ebbeb873
-
SHA512
214433597e04ca1ff9b4fe092d5d2997707a7c56f0f82c85d586088a200e4455028f3b9427d87b4f06f9252557d5be4b7a9138ea6a8d045df6209421fd8ca054
-
SSDEEP
48:S46+/ZTKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mCofjLl:zDuPbOBtWZBV8jAWiAJCdv2CmpL
Score3/10 -
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
0ff2d70cfdc8095ea99ca2dabbec3cd7
-
SHA1
10c51496d37cecd0e8a503a5a9bb2329d9b38116
-
SHA256
982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b
-
SHA512
cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e
-
SSDEEP
192:eK24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35OlASl:u8QIl975eXqlWBrz7YLOlA
Score3/10 -
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1