General

  • Target

    9bdd0e7c37eeae0f6d4da635e9c856fb2e009aa7ed59777f33776ff89066fba6

  • Size

    5KB

  • Sample

    231208-c2187agg68

  • MD5

    307250be963257c7e18a3252e4bd74d4

  • SHA1

    568d3fd58dfbd7140aae6a7840460b343c83c13f

  • SHA256

    9bdd0e7c37eeae0f6d4da635e9c856fb2e009aa7ed59777f33776ff89066fba6

  • SHA512

    71bbc3c7013730683d33c594613dc831c337ca0298975f42705e92afeb2c34b78b166820f4f4b05480f4673c626d0f81c40372090627a76562454e1a8fade484

  • SSDEEP

    48:6Qi+hmUGDJrNHIjfe6DSfAEnwgKgwoWz6Ao/CIjfdUhLQIfhsFwQpsVtiOlSDqFQ:G7lrZIjG6DSfA/dgwo/pf8Bhrt0ozNt

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6414995176:AAGuFTS3tKhdeIu6sCNhCNw8cv7vkPJh1TQ/

Targets

    • Target

      9bdd0e7c37eeae0f6d4da635e9c856fb2e009aa7ed59777f33776ff89066fba6

    • Size

      5KB

    • MD5

      307250be963257c7e18a3252e4bd74d4

    • SHA1

      568d3fd58dfbd7140aae6a7840460b343c83c13f

    • SHA256

      9bdd0e7c37eeae0f6d4da635e9c856fb2e009aa7ed59777f33776ff89066fba6

    • SHA512

      71bbc3c7013730683d33c594613dc831c337ca0298975f42705e92afeb2c34b78b166820f4f4b05480f4673c626d0f81c40372090627a76562454e1a8fade484

    • SSDEEP

      48:6Qi+hmUGDJrNHIjfe6DSfAEnwgKgwoWz6Ao/CIjfdUhLQIfhsFwQpsVtiOlSDqFQ:G7lrZIjG6DSfA/dgwo/pf8Bhrt0ozNt

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks