General

  • Target

    Sample1.zip

  • Size

    6.8MB

  • Sample

    230403-kvfynsfb7y

  • MD5

    63107a82245b03a412f9af1ea9d69d4b

  • SHA1

    4d2fda56314d58354aae8072edc93d884b91da6a

  • SHA256

    d860174c22effeac91c10774b5601c08c74429905c7f9d4043754448a7cd3a01

  • SHA512

    c70d192ccf20bf50d73b078b86bdc99b322a575eebc8c3684e2c4dc5af5b13ae1422330bafa00a0c20095aa490a571ed47483001b80b01f2ff7245f07ecdc40c

  • SSDEEP

    196608:v2QukbFvkvHP94ZLd0WR7EgtxUFSjdCdiAbL1onZM:v2Qj2l2d0Q1CSjyPtoZM

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6120421924:AAHfDg3lTzDUW4O1CSc9eyT6zf8UpaOZqyY/

Targets

    • Target

      (电-子-发-票).exe

    • Size

      36KB

    • MD5

      928c43415fa08992ecf34e90db8c2a5b

    • SHA1

      b2bd43ff4005bce6d39fad9d8bf2c2f25a89f37c

    • SHA256

      e9cc6d34b4e20a11e3af01182672a0ca71d111d1b89d73fc8584a5534d491d7e

    • SHA512

      d1c847fbf19e5d7661ff90b365decc25142de94304c812c016719948901586378909d28424bb388f904f01b072f7840758d6baa4e75a7f857799333acab7976d

    • SSDEEP

      384:4krtyExpPhFmSkkuJ0EKtU/lOgDTp4nuHD80sApEQDeT6lF:jVh93umEeUcgDTWujtP

    Score
    10/10
    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      Dekont,pdf.exe

    • Size

      220KB

    • MD5

      3f1c97d2f5200204e711e812b63b2b99

    • SHA1

      b7edbc37fd17d4b1d890ffa5565b548f4aebb40e

    • SHA256

      45a156f54da1d261e560ed2ebfd861aca470562ccca7878f44421de8089c224e

    • SHA512

      05893ea315eab2e08dfbc8d8cdf1edcfe9086ac48e02c9ebc02e3319eb7901e0097ecaf2156275773f47dce332a7d4274bbb596ae1763cde78bd1e55e7a25131

    • SSDEEP

      6144:fYYUtx+U3w8fg7Mv2D7mtGB8BHVQ+zJcM/PA6gLnqI:fFUt4eq+2Xmto8BjF9AuI

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      资金账户对账单导出.com

    • Size

      6.7MB

    • MD5

      3856a53ca2dca3c535746c194c7afb1d

    • SHA1

      89b3c74be1520a0932fed53e783212fe092641cc

    • SHA256

      7086ed025a5c4089495785a51fc9685e853e780eee24a1fefe695d486f0066a1

    • SHA512

      85d4b667f670deeb48d5d782965be8c7a06bb236d4db31373b93ec2379d78c6b67add6f88c0240d14bf91b8e728f167ebbf99299df1bb4be246eeebaa4e960c8

    • SSDEEP

      196608:LCj744gpV+cTnIknHCdzRFY4Mx53wOOj7Wl:LCjUfdbxnHcznY4M33TI

    • FatalRat

      FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    • Fatal Rat payload

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Collection

Email Collection

1
T1114

Tasks