Overview

overview

10

Static

static

3

RICEVUTA D...TO.exe

windows7-x64

10

RICEVUTA D...TO.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    18022025_0852_RICEVUTADIPAGAMENTO.bat.iso

  • Size

    1.2MB

  • Sample

    250218-kzqzfayqev

  • MD5

    5643cdd044ded2976c6ddfbccd07abaf

  • SHA1

    d1ac285bff84b26fa2349f62683d13e83e5f1c66

  • SHA256

    2c576b998e6702ea876cb32e8ff457709d292f7d139f1a737f26f69f29e2259a

  • SHA512

    1622e733e1696ff25897cda8951bd33ba2cca6e947c9f57571612bbb0a60997549d3be58198acc961b6d78e96d502ed982fbe02a9837719df98cad31a8de0c17

  • SSDEEP

    12288:yFgYxnPNPMRLsNcVRa+zXQOV51P9hg2RAT:+VSRLsNp2Tz

Score
10/10
agentteslaguloaderdiscoverydownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ro}UWgz#!38E

Targets

    • Target

      RICEVUTA DI PAGAMENTO.bat

    • Size

      674KB

    • MD5

      ef5b44f40df78dc49c1180b671a7d089

    • SHA1

      0707aa3c6ae1abc38d08618132453e89f1b54c5a

    • SHA256

      687b2c10e61814fa7b2b3ae17c8a2f04fef5b3ddbfd12bba5948a7377b26afde

    • SHA512

      2919e804a8f92c05c3375e142e3657249acc2f267339a61ceaed791b33ed758c1c1563afd420c43856c00c4437dddfd898f4af04fe65cddb67cc774c742dc2e8

    • SSDEEP

      12288:GFgYxnPNPMRLsNcVRa+zXQOV51P9hg2RATP:aVSRLsNp2Tz2

    Score
    10/10
    agentteslaguloaderdiscoverydownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      0063d48afe5a0cdc02833145667b6641

    • SHA1

      e7eb614805d183ecb1127c62decb1a6be1b4f7a8

    • SHA256

      ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

    • SHA512

      71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

    • SSDEEP

      192:qPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4U:F7VpNo8gmOyRsVc4

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks