General

  • Target

    Product Order.gz

  • Size

    664KB

  • Sample

    230612-qxwpssch7x

  • MD5

    a4f93a0c0ed2ece36f307a1ac31d4d35

  • SHA1

    0df0f202b57021e4ef261df62bb44680370f0fb7

  • SHA256

    d30fa0321c74d47ff319db345eaa7bf720a8bdde4a524a0b46f4a21484c75d1a

  • SHA512

    522500b9051f32d9ded80135a0ae0d7defc2a71b849a41b4e591511652a4f0ae3cf21c605915e88f4ae72d95923ca2aea7e9a503860511b2b36ce42976cb70ab

  • SSDEEP

    12288:F8+ryu3bqjh8mol8BWQN+9b8pYvWMfFIjkx5JgUVeWJlB0cSGcs18h+ZLQOidt2C:Fh3w8mol8BWQN+94CeMfFZJgUVewb/H2

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6254200827:AAE72ehike93Yl10K-g-eoD9WA3Xk9taVes/

Targets

    • Target

      Product Order.exe

    • Size

      776KB

    • MD5

      dc864332ee7a85324d0cda25fac3bf21

    • SHA1

      5be0e586e93b9042f8a72e1c1bb1a5182a4066d3

    • SHA256

      8aead2c3d3796d348dc61029023a5679f2ef747c8ce155a767d5e47280e5ec26

    • SHA512

      f02820ec93fc9f4794e5144986f9defa41a5510c758f43273eb6ad7d0b9ad537ebab5cacc63ea705152eb514572abe345db29406d4a9fabddde6b7cb8ee1e1f1

    • SSDEEP

      24576:KiOV/NOapDl4JebJgUte4/pB18/dBrZNx2JBJ:KiOV/NOapDlpKUM4/po//rZz2JBJ

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks