General

  • Target

    tmp

  • Size

    294KB

  • Sample

    230313-1xfcxsec5w

  • MD5

    2ff3c88cc079f50ba0000d386f8f208f

  • SHA1

    3c8e9271e6eae83788c36874ec7e15c780bc6a77

  • SHA256

    4b3b2e33768b07e48c7b2a32ec2e0f0fcd94b2062170b975f5324d77d28105a2

  • SHA512

    ab1cffe6c627fdc4ed363de3d7219dffc77e374832e54fc27800fcf62799d4ea3e05e4ed482f1d268747edd43434ad1bf17e5a7f8d21187dd4e00ec1cfa28347

  • SSDEEP

    6144:/Ya6RYWU4NPB0erIvWmDVUzlB6TANcHDveE1uj0DHfqXG:/Yz1zNierIeUVq6YcHxckfqXG

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/

Targets

    • Target

      tmp

    • Size

      294KB

    • MD5

      2ff3c88cc079f50ba0000d386f8f208f

    • SHA1

      3c8e9271e6eae83788c36874ec7e15c780bc6a77

    • SHA256

      4b3b2e33768b07e48c7b2a32ec2e0f0fcd94b2062170b975f5324d77d28105a2

    • SHA512

      ab1cffe6c627fdc4ed363de3d7219dffc77e374832e54fc27800fcf62799d4ea3e05e4ed482f1d268747edd43434ad1bf17e5a7f8d21187dd4e00ec1cfa28347

    • SSDEEP

      6144:/Ya6RYWU4NPB0erIvWmDVUzlB6TANcHDveE1uj0DHfqXG:/Yz1zNierIeUVq6YcHxckfqXG

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks