General

  • Target

    Statement of Account.ace

  • Size

    418KB

  • Sample

    230209-nczvlshg71

  • MD5

    b16bf8830d1842d2f9e78b2fe210849d

  • SHA1

    e512bcdb0141ce758c161d414286b250f9a3d8c9

  • SHA256

    32e9175d0fc07dae4adf478b8edaa68aba6f8cee81880b2c67ddaf23acd282cb

  • SHA512

    6440d7c7932ee843792d2c4711c3964e1a3969b62dc9d2c957e7ca5ac7a5776652016a4753e02d95b68831ce894bba87e934cdb4e256971044cea6c45d423de3

  • SSDEEP

    12288:S5kw7Duc3oeAeW+THjpzaqXOZlOjVV/34F:auc39NXRXOZlOZV/34F

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5896636070:AAE1wgCylxBdOo6ud0Pm37zMf2XWSsuCQ0g/

Targets

    • Target

      Statement of Account.exe

    • Size

      492KB

    • MD5

      6e7687b86eeb2bd86478ee96e06c200e

    • SHA1

      105fc272b1c2e949e3113e72ff2f4e2b9b057cbb

    • SHA256

      0646c74553ece34bde89208dc879a57458e28d8b7e069d352336021705b9bd1e

    • SHA512

      64e0cd8c76380e6176327b353c4cca0d1c512ea1a821b7598cf614fa8769e1e552825f33caddee85707cd6d4a362a4fb93d4d782a47fbbf34ec100ef9e13d616

    • SSDEEP

      12288:lcbsoVgc0AkTIDadXg82PpVWSTAqwhdV7gGyE5hk480+ttP5:lvAjeTIoXgzSS0HhcG16480i5

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks