General

  • Target

    5BBE6CBE663FF413C9C7A46720CB1EFD61B07720D0B828D368918E9CEF336B30

  • Size

    613KB

  • Sample

    230718-zjxvdadg74

  • MD5

    78df23e5fbb27d54348bc923408e6083

  • SHA1

    1853562c204377c0cd4b61d6838bd2a7ffcc1c30

  • SHA256

    5bbe6cbe663ff413c9c7a46720cb1efd61b07720d0b828d368918e9cef336b30

  • SHA512

    b787e36fc3d22a50efad85ec11e2e806b3af98f68d25a832ce7b9fff1e281a35a76f9271777b3be7bb90f70cbdbad23da441ad5a0517caae573db964e1cb4a5c

  • SSDEEP

    12288:vCUm4qZoK6U2JgTi8S3y5FeaUB5ZmW5Qj8S3hPUgyIW+a3XK:vDm4mGU2ln/F0n9UgNxaHK

Malware Config

Targets

    • Target

      5BBE6CBE663FF413C9C7A46720CB1EFD61B07720D0B828D368918E9CEF336B30

    • Size

      613KB

    • MD5

      78df23e5fbb27d54348bc923408e6083

    • SHA1

      1853562c204377c0cd4b61d6838bd2a7ffcc1c30

    • SHA256

      5bbe6cbe663ff413c9c7a46720cb1efd61b07720d0b828d368918e9cef336b30

    • SHA512

      b787e36fc3d22a50efad85ec11e2e806b3af98f68d25a832ce7b9fff1e281a35a76f9271777b3be7bb90f70cbdbad23da441ad5a0517caae573db964e1cb4a5c

    • SSDEEP

      12288:vCUm4qZoK6U2JgTi8S3y5FeaUB5ZmW5Qj8S3hPUgyIW+a3XK:vDm4mGU2ln/F0n9UgNxaHK

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks