General

  • Target

    ac96bb0f3a91ebfb176baecf8f3232ae86d40a9565733432fe21b3a3da7dbb52

  • Size

    2.3MB

  • Sample

    250505-bvkgesv1ht

  • MD5

    b648fa91a28c763d59ffd7d8470b990d

  • SHA1

    2a18fe2e85ec465954af05f0afd3dd26639b9630

  • SHA256

    ac96bb0f3a91ebfb176baecf8f3232ae86d40a9565733432fe21b3a3da7dbb52

  • SHA512

    4c0dba777ce7d369f6c70be70285bd606269f1ab58f627e65060b6e07f779ad3ed70800b11ad57cde13dc995b39b1b9ec27d321a4399ec2f1297cf2058de1a0d

  • SSDEEP

    49152:QxI3DJOC5OGq97V5l/2n0yDIwABzptASqecr8KYCKa/aTTr4LTz:YGhXq9x/2nEzAbecIKpKa/I4LX

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.xma0.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    london@1759

Extracted

Family

agenttesla

Credentials

Extracted

Family

darkcloud

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.mailo.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    london@1759

Targets

    • Target

      RFQ-Materials-LBS9782-NB13-Specifications-pdf.exe

    • Size

      2.7MB

    • MD5

      424488e019388f49ef9e7b25730923a3

    • SHA1

      edc134717b09b18488e50483d2d7cb45b2253e98

    • SHA256

      95075ecbdcd1ff294433ceeb45d7bb3d24e94857620dba98b5f6b08250cff811

    • SHA512

      117457609b1cbf06714018e8d47d97c8af533ef94d4fc15fd293a6a02abd203971f890a9b9a82800c2826029bfde84ee9094527b37870a098e3c76fe426947ca

    • SSDEEP

      49152:8Vg5tQ7apGIIyWG6Nrx5o3hfsWhANqzS3BOZRsWylxJi69tl/Dl5:Gg56ejc5aa9NCS3BnzJ3lD

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • DarkCloud

      An information stealer written in Visual Basic.

    • Darkcloud family

    • Drops startup file

    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks