General

  • Target

    b472343a9ac7b5969b40f22b90771cdee7210913d348e966ce4ed7540bcb9ddd

  • Size

    744KB

  • Sample

    221206-rxqzzsfe24

  • MD5

    ba017a929db6156f1bf1ddef8d6766c7

  • SHA1

    cc33ec6ff180e9a6b9121c73686299d1b2bdec5a

  • SHA256

    b472343a9ac7b5969b40f22b90771cdee7210913d348e966ce4ed7540bcb9ddd

  • SHA512

    46aff8e40fd7646b83d87cd29c8794f202749982fce76d94eefd412cbe5600bc26d3109420727473d6f47b654ae9a79b94bcf2bd0d09646f0e6b1c010d8367e1

  • SSDEEP

    12288:kwlDmomPZefLPtqvyuSZpIyu5qDdoazx/0pk6XyNlNIkkVGueqB89wF+e5/g:momxiLQFSLsX8x/0zaIR0ue+89wF+Ag

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5466358579:AAFHSCLt1chyZSTsCVrxZSdLSPQ_50Hs-ww/

Targets

    • Target

      b472343a9ac7b5969b40f22b90771cdee7210913d348e966ce4ed7540bcb9ddd

    • Size

      744KB

    • MD5

      ba017a929db6156f1bf1ddef8d6766c7

    • SHA1

      cc33ec6ff180e9a6b9121c73686299d1b2bdec5a

    • SHA256

      b472343a9ac7b5969b40f22b90771cdee7210913d348e966ce4ed7540bcb9ddd

    • SHA512

      46aff8e40fd7646b83d87cd29c8794f202749982fce76d94eefd412cbe5600bc26d3109420727473d6f47b654ae9a79b94bcf2bd0d09646f0e6b1c010d8367e1

    • SSDEEP

      12288:kwlDmomPZefLPtqvyuSZpIyu5qDdoazx/0pk6XyNlNIkkVGueqB89wF+e5/g:momxiLQFSLsX8x/0zaIR0ue+89wF+Ag

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks