General

  • Target

    e65e27e0c4a8ea50e36985a26b33b672.bin

  • Size

    14KB

  • Sample

    230617-ccfwyshd9t

  • MD5

    9358c1acb3ff895ed1ea2198595a25ef

  • SHA1

    76ef8f36542fafb29ac69ca33e44da5d5755637b

  • SHA256

    0c3270aa02d427984c0ca12d3ea6b3e62445b821bf736776a92614fe32717882

  • SHA512

    193a99e1d6426d5f5592c525e3028c3bc8e2a445f1dcf1f1233a6c59061609069da12491dc52d8bf5a27e436c47a8dcb968a1c02eba99ca7297d0313c35ff084

  • SSDEEP

    384:CoHA3yB//MG6s1BSKLzT1k1uoljL9Mzoc1NsQlZIfIQj:CoH0yB/UG6s1BSKvRk1/jy1NJZIfIQj

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      49daa059670f6f912d4754a24773df9326ef649f419ca2aaebcbee39e4b925e1.doc

    • Size

      27KB

    • MD5

      e65e27e0c4a8ea50e36985a26b33b672

    • SHA1

      47829286b8ab097fa79bf01bd6e8382f321843e3

    • SHA256

      49daa059670f6f912d4754a24773df9326ef649f419ca2aaebcbee39e4b925e1

    • SHA512

      496f269898d3f5e2154b3d4a3d99423be49d7925160f34a6eb00f4490b8de7ea9972d751bd5867600d473de391fd35478d9d840bb664892cfcfa4839a9231a9e

    • SSDEEP

      768:wzFx0XaIsnPRIa4fwJMZnkIMFZy/XyNvdxKC:of0Xvx3EMZkDccvdxv

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks