General

  • Target

    REVISED PI.zip

  • Size

    641KB

  • Sample

    221128-nvleyafc71

  • MD5

    df9cf1835d2ba2476daf8ec43ca2c2dd

  • SHA1

    77f6e6cb543f444dc3ba6f0c9e90032165a0653f

  • SHA256

    e0aba5ebc59f8ac0f8b7be112da2ee481e30c4da9f213552f76ff7c5056c1ef3

  • SHA512

    2cd429022b7ea622e1449bbf3b3f711bcbb9aefc0f287e5fe5879800978776573ad6b4bc07efddf386359ec04d89e6e0f8cbd45c33e965072ab68183ed9b83a4

  • SSDEEP

    12288:JVhFkAYsq8W61yOUGpK265AVm9RSBT3iDAnZtzIrUNYaJJ:JVhFqsq5SHHP2R6TpnZKUqaJJ

Malware Config

Targets

    • Target

      2211.exe

    • Size

      653KB

    • MD5

      aeb1becc0f251e643e27c95d2fa1d91b

    • SHA1

      f14bbc296f1da0a6e11993286871f2e9bacff72c

    • SHA256

      8cdd2376c22a3f37faafe3a39f3730b7c03c9e641b729607ca2b083abbc3f05e

    • SHA512

      0f2f2d370b257796b73f227adb055bfdd57621f34198cfabf66eef1dee43c5904263f32a7ce699ef716709dd3119b46639726e571e495533f15a2e8c403c9dec

    • SSDEEP

      12288:ggF5Mgmsq8We1+CGGpKw65AHm9RCBT3g5AnttzyrMNkaM8:ggF5asqb+BFV2RKT/ntMMKaM8

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks