General

  • Target

    Requested offermaterials20230322.pdf.exe

  • Size

    506KB

  • Sample

    230329-lq2v1sfg38

  • MD5

    a13603dc435a8fdc3d45bfc3d0a1679d

  • SHA1

    fbf91838a5d8c9fef32e05b8fe63ac04ba7feac9

  • SHA256

    0585b5a3ac0f34a11ac876a13614cecbf66b51855ff89c9c0abb62faeaf06edb

  • SHA512

    c4b1899315da49b83804c2c303d3c217457cf05388f70fbb810aa34b4af2e6154295bdae7e418194bd61467f0481b5ccb17b16728995ce54d5975fba51188091

  • SSDEEP

    12288:OddV7DSF8S+2D1i9cIeg6O2RgtP6ssv27TyVyvp:47OF8SZ1BDROBdsKUmp

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1952154144:AAEHUKomldKQIyjgq_MWw4YWiGcA_iwz6T4/sendDocument

Targets

    • Target

      Requested offermaterials20230322.pdf.exe

    • Size

      506KB

    • MD5

      a13603dc435a8fdc3d45bfc3d0a1679d

    • SHA1

      fbf91838a5d8c9fef32e05b8fe63ac04ba7feac9

    • SHA256

      0585b5a3ac0f34a11ac876a13614cecbf66b51855ff89c9c0abb62faeaf06edb

    • SHA512

      c4b1899315da49b83804c2c303d3c217457cf05388f70fbb810aa34b4af2e6154295bdae7e418194bd61467f0481b5ccb17b16728995ce54d5975fba51188091

    • SSDEEP

      12288:OddV7DSF8S+2D1i9cIeg6O2RgtP6ssv27TyVyvp:47OF8SZ1BDROBdsKUmp

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks