General

  • Target

    Fra 592770.gz

  • Size

    461KB

  • Sample

    230526-ntewrsfg3t

  • MD5

    f11ce2ea0976786a163ff6458192037b

  • SHA1

    778a65e2eb1754177e5f4434ebfbd3ce718615e4

  • SHA256

    337983575e80cb3730ba94f65113f5f2c2f68d634a9375692d9b2f9be3a3214c

  • SHA512

    33a2d04a2eff5f25e92a0c0c4b3c76958ba11c929b83ea7fcf5b50fd58fff9058e4e50e5288f370cd1c90cebea7b6645f616be8ef7ca0815ab535f9735cf7d34

  • SSDEEP

    12288:XCIUGDQ1qcBfHcf/3v/G9kAwzTBylM1fTrm3KLs6NIGRA7k5kG:X+GDQ1NBfS/3v/G9kAkToW1fTy30s6Nf

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.otj.pt
  • Port:
    587
  • Username:
    info@otj.pt
  • Password:
    zrevuafs1kd4
  • Email To:
    atlantiidafacturas@gmail.com

Targets

    • Target

      Kulbrintens.bat

    • Size

      800KB

    • MD5

      705bf7e1d7de9cef11f0e2602ed07aaa

    • SHA1

      edd8565764e87a114fa683456c7285afcd500827

    • SHA256

      7c65a78541ae61a1cb4415509a3e9c7a3a0d4dcf7200d9ec89536f37fd6b540c

    • SHA512

      c03bc38fba3c1726764c56fc75fd04406b68ce833e7e19c80c4dc69433fc61ca2a4fe6c27d59147e0e6829299bf2be8d7c96387c9488a5ec609faab55c9c973d

    • SSDEEP

      12288:9PKcWfPW1nUOMafEa841G5ZYKstRDZr+SN3xBG+:FWonUZafEc1G5ZYKsjFr+m

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Tasks