General

  • Target

    bf32f23a87b64a238e5050844edec9b7.exe

  • Size

    321KB

  • Sample

    221207-p1sxmseh74

  • MD5

    bf32f23a87b64a238e5050844edec9b7

  • SHA1

    c0a83fef7da08a4dc99d510b9d55aad00e4e549e

  • SHA256

    783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06

  • SHA512

    a44efd51335fa4ad2e198fdf58ed5be39d62c01c811ceb12f954908fcb87459e5d9e935dac481e0bfefff4158e89e29d6d3b0519137486d0feaed9bf064a2621

  • SSDEEP

    6144:QBn1VOu62SslcNRnuYrfQ6m/E07z5r6ZlASnb0e52:gVJYsGTuQQ6mMUZ4lAQbX52

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5655543251:AAF6zs8TWZ5wmyQhXrUZEpQjh6VaOy-aYoQ/

Targets

    • Target

      bf32f23a87b64a238e5050844edec9b7.exe

    • Size

      321KB

    • MD5

      bf32f23a87b64a238e5050844edec9b7

    • SHA1

      c0a83fef7da08a4dc99d510b9d55aad00e4e549e

    • SHA256

      783f22d3f808a135871ff9a96877de2ffdb916e914010f8dfb23d1dd2c103f06

    • SHA512

      a44efd51335fa4ad2e198fdf58ed5be39d62c01c811ceb12f954908fcb87459e5d9e935dac481e0bfefff4158e89e29d6d3b0519137486d0feaed9bf064a2621

    • SSDEEP

      6144:QBn1VOu62SslcNRnuYrfQ6m/E07z5r6ZlASnb0e52:gVJYsGTuQQ6mMUZ4lAQbX52

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks