General

  • Target

    ORDER-SUNNY 10005916.bat

  • Size

    1009KB

  • Sample

    231208-rbkk3sabdr

  • MD5

    27c302e3247d5a9f8fce50cfba636e22

  • SHA1

    7939d397dba283814967080fb37913d9076dab49

  • SHA256

    1dcd0d42ac6d49c7447bd11b3c08d26b3e03d1000483c8ce1ac6914fd249a6a0

  • SHA512

    040e32f01348045b4a9d65666e7bb966150b3ae34e6078b23c0d3c58a8f18e48096091e05ea5bffa09a4f33f93a441e4767a9d9468e8d3f4adbcfc10733b4c70

  • SSDEEP

    24576:hHOmVihj9V3HNS0B0dgIx4l0ivt/Ixdt+gnfpV6gXhtnLPv+yqV82DqdFUWvw:h6j3fpI57zPVqmTgj

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      ORDER-SUNNY 10005916.bat

    • Size

      1009KB

    • MD5

      27c302e3247d5a9f8fce50cfba636e22

    • SHA1

      7939d397dba283814967080fb37913d9076dab49

    • SHA256

      1dcd0d42ac6d49c7447bd11b3c08d26b3e03d1000483c8ce1ac6914fd249a6a0

    • SHA512

      040e32f01348045b4a9d65666e7bb966150b3ae34e6078b23c0d3c58a8f18e48096091e05ea5bffa09a4f33f93a441e4767a9d9468e8d3f4adbcfc10733b4c70

    • SSDEEP

      24576:hHOmVihj9V3HNS0B0dgIx4l0ivt/Ixdt+gnfpV6gXhtnLPv+yqV82DqdFUWvw:h6j3fpI57zPVqmTgj

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks