General

  • Target

    3.doc

  • Size

    65KB

  • Sample

    230825-m3cbkaah85

  • MD5

    a1816ace062bdbcb202e580810d5aceb

  • SHA1

    d58ffa926fe4a58bf7ac76d994f9a576cf62fd1d

  • SHA256

    1ee34dc849cd10bab8d08dec7076ab644851c55a1765de44e8187a53c137569b

  • SHA512

    630f871ce4505f0d881a43ab540a1b92ec9d1be6a47f68c30f6fc110e4dae9d40672d4560c7b10cd8168d923f5292b4d285d99bd7377a57d681cf06ed6331625

  • SSDEEP

    1536:TwAlReA72q/FbwzaXXJY7JrZC2KPJAOQnnYA+1xt7tuTQj0VEba2Uy0wddJaps:TwAln//FbwzaXXJQJrZC2KPjQnn9kxtj

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      3.doc

    • Size

      65KB

    • MD5

      a1816ace062bdbcb202e580810d5aceb

    • SHA1

      d58ffa926fe4a58bf7ac76d994f9a576cf62fd1d

    • SHA256

      1ee34dc849cd10bab8d08dec7076ab644851c55a1765de44e8187a53c137569b

    • SHA512

      630f871ce4505f0d881a43ab540a1b92ec9d1be6a47f68c30f6fc110e4dae9d40672d4560c7b10cd8168d923f5292b4d285d99bd7377a57d681cf06ed6331625

    • SSDEEP

      1536:TwAlReA72q/FbwzaXXJY7JrZC2KPJAOQnnYA+1xt7tuTQj0VEba2Uy0wddJaps:TwAln//FbwzaXXJQJrZC2KPjQnn9kxtj

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks