General

  • Target

    30062025_1836_Nuovo Ordine 0020994009590969607099.exe.iso

  • Size

    1.2MB

  • Sample

    250630-w8w3laaj9w

  • MD5

    b99d8cd97329a2605ee34165f7280ce6

  • SHA1

    aa92d1529526708a6e93d12a5ab8e06981a07f34

  • SHA256

    1b9b82a21f9b18a8eb1161baa23110ebf8cdce006b96c8792076be6266419155

  • SHA512

    b161e3b29bf45f7abce993b3598011b6f03690f68a88a42cd637eac3c404e60868b36a91db46a554afdb35f7b88a521e6f4e294bac4ef3b86e271a5911a0ef39

  • SSDEEP

    12288:bMwC2L2cvCJqhDsyPQPUFqxBs1DNy82MvQ/0HN5j6SvVZ:bMwC2LXVgMwns1Jy8hvQl8Z

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ro}UWgz#!38E

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ro}UWgz#!38E

Targets

    • Target

      Nuovo Ordine 0020994009590969607099.exe

    • Size

      647KB

    • MD5

      1d48a375ce7c75376eab3198252208fc

    • SHA1

      d6d238182fc1a215a67d16393e5e59a082b53cd9

    • SHA256

      2d681f77a01e0e7c148103ac4f081fae79fdbb4de8761a519e87cde85e338720

    • SHA512

      2e9911390026aa27c30fe6bfa725296d0fd7d8b711b84cbdba2d117ddf563d29c5e14c66537ea987089931f2d981ba5a1327aa29a10c3221ad5378708b0d9602

    • SSDEEP

      12288:EMwC2L2cvCJqhDsyPQPUFqxBs1DNy82MvQ/0HN5j6SvVZ8:EMwC2LXVgMwns1Jy8hvQl8Z8

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Blocklisted process makes network request

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v16

Tasks