General

  • Target

    AYF00675.lnk

  • Size

    1KB

  • Sample

    231207-jgd2gshhel

  • MD5

    92cff55b70b6556b395300de968521fc

  • SHA1

    4bfccd1a6dc2a775a497074caecf25386dab49fb

  • SHA256

    d3ab1b047a1ee9985c00c95cd4d205f79bdf47ade1f18ee30ec9d88a58cb133d

  • SHA512

    7b59f385a7bacba7a87479837218f1399894480f2b4ae60811d0c4ec180cfbfde6170ecb0b369f4dd0cd75af02a216b5659e714d7c53d439394664505a9311fe

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6184846740:AAFy48QnJEpbqT9DY_xx392kz1tH5_khlWo/

Targets

    • Target

      AYF00675.lnk

    • Size

      1KB

    • MD5

      92cff55b70b6556b395300de968521fc

    • SHA1

      4bfccd1a6dc2a775a497074caecf25386dab49fb

    • SHA256

      d3ab1b047a1ee9985c00c95cd4d205f79bdf47ade1f18ee30ec9d88a58cb133d

    • SHA512

      7b59f385a7bacba7a87479837218f1399894480f2b4ae60811d0c4ec180cfbfde6170ecb0b369f4dd0cd75af02a216b5659e714d7c53d439394664505a9311fe

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks