Overview

overview

10

Static

static

3

RICEVUTA D...TO.exe

windows7-x64

10

RICEVUTA D...TO.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    19022025_1443_RICEVUTA DI PAGAMENTO.bat.iso

  • Size

    1.8MB

  • Sample

    250219-r3t9lavjz5

  • MD5

    4f4336078fc5b5acdcf89d6c84b19946

  • SHA1

    9e0a3ebb780013339301db69b6f7c8a055f3c0df

  • SHA256

    b87109f4ac9d75b339c8fa1a08ac67db70d386eb73e95f88c47596bf3d94f7ea

  • SHA512

    5cdd0a7bedf2b00b6943866ace7e624bd47f45618181030c44412af564ac133e05de9783bb7f374ae651a52c2c44975f014f40de9d21c2ee6308f28f2ec0db33

  • SSDEEP

    49152:6NY1tpzsKc4nthNW3YU0E6DpDOPCBZOHHT:6NMpzsKnntSD16DpDO6

Score
10/10
agentteslaguloaderdiscoverydownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ro}UWgz#!38E

Targets

    • Target

      RICEVUTA DI PAGAMENTO.bat

    • Size

      1.3MB

    • MD5

      f8918c093f62e7df3a88f3c55e5c62da

    • SHA1

      5ece572d3d72558a1c044251cd521dd5e369a727

    • SHA256

      356fd7a50b9d0c286d7251ede5b8e8ed9ec8c51a4480a88d5e054e52d352fec3

    • SHA512

      462bfee0c1158847545a696e0354c4ca581f09ba822be2fe148e324fc21e5d04eac231de92674e30e962244d9dbf2ee2b1bb98ff8bcc095b109995ce54045298

    • SSDEEP

      24576:iU9aY1wLhuxBr8sDzsKc4nVjhNW3CknC7/c2nEwRTPlJpDOPCBeuOHHTDf7:iNY1tpzsKc4nthNW3YU0E6DpDOPCBZOj

    Score
    10/10
    agentteslaguloaderdiscoverydownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      fccff8cb7a1067e23fd2e2b63971a8e1

    • SHA1

      30e2a9e137c1223a78a0f7b0bf96a1c361976d91

    • SHA256

      6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

    • SHA512

      f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

    • SSDEEP

      192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks