General

  • Target

    02be2ba38f47bf58b12515c739d36d435783687e9fc5d5933043bcc2481064c3

  • Size

    1.2MB

  • Sample

    231208-c5hagsgg79

  • MD5

    24ea839175f2a4b5fd4779000b869421

  • SHA1

    757c623bc09b2f57b9e5b6b58bfc40c6e9645f31

  • SHA256

    02be2ba38f47bf58b12515c739d36d435783687e9fc5d5933043bcc2481064c3

  • SHA512

    42d7040057384c40b9aee75ca689d18367e0e983316bf6ba0138d03e62994d6f452bb6abe1c9f0cffac04c82dcebc7cf06ee08440ac0bf29ecc2aa7115611a6c

  • SSDEEP

    96:5AT6dh/TUJQHQ7RqdYt7lrZIjG6DSfA/dgwo/pf8Bhrt0ozNt:aT5OQRz7ZZI9Sf8gw+pUfrKq

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6414995176:AAGuFTS3tKhdeIu6sCNhCNw8cv7vkPJh1TQ/

Targets

    • Target

      Our Inquiry_RFQ Details_Heap lee chan Trading_Pdf.bat

    • Size

      5KB

    • MD5

      307250be963257c7e18a3252e4bd74d4

    • SHA1

      568d3fd58dfbd7140aae6a7840460b343c83c13f

    • SHA256

      9bdd0e7c37eeae0f6d4da635e9c856fb2e009aa7ed59777f33776ff89066fba6

    • SHA512

      71bbc3c7013730683d33c594613dc831c337ca0298975f42705e92afeb2c34b78b166820f4f4b05480f4673c626d0f81c40372090627a76562454e1a8fade484

    • SSDEEP

      48:6Qi+hmUGDJrNHIjfe6DSfAEnwgKgwoWz6Ao/CIjfdUhLQIfhsFwQpsVtiOlSDqFQ:G7lrZIjG6DSfA/dgwo/pf8Bhrt0ozNt

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks