General

  • Target

    8c208bd1e64d961dc972c12d8736c7b5e2f532003fc8563c021e85a60f944833

  • Size

    843KB

  • Sample

    231208-c2s8ksgg67

  • MD5

    2d3733aa2dcf9beccb8e64c5ed45ef86

  • SHA1

    3735d31f58789144b4f2c819e9cc33b7c863b083

  • SHA256

    8c208bd1e64d961dc972c12d8736c7b5e2f532003fc8563c021e85a60f944833

  • SHA512

    87ccca3c4b7f33f7a4a95951d2e730a95cb4f3cf1ff86197a93175eda1eed57130283df5d299c29ceba633e5c4042c37ea01ca537888f5b6f47937e039a96a25

  • SSDEEP

    12288:hfYNr4RaVxP45+po21SMs3KSA6lTCnBjDPbQYAxIUpu7b1h2Hzq:UVk+pJsMsKSA6BCnBzwIrPQz

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6547287693:AAGGgrnDvtLiSnFJxDycaluud9osnQGIN1E/

Targets

    • Target

      8c208bd1e64d961dc972c12d8736c7b5e2f532003fc8563c021e85a60f944833

    • Size

      843KB

    • MD5

      2d3733aa2dcf9beccb8e64c5ed45ef86

    • SHA1

      3735d31f58789144b4f2c819e9cc33b7c863b083

    • SHA256

      8c208bd1e64d961dc972c12d8736c7b5e2f532003fc8563c021e85a60f944833

    • SHA512

      87ccca3c4b7f33f7a4a95951d2e730a95cb4f3cf1ff86197a93175eda1eed57130283df5d299c29ceba633e5c4042c37ea01ca537888f5b6f47937e039a96a25

    • SSDEEP

      12288:hfYNr4RaVxP45+po21SMs3KSA6lTCnBjDPbQYAxIUpu7b1h2Hzq:UVk+pJsMsKSA6BCnBzwIrPQz

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks