General

  • Target

    a93309c8c29169e4d7b5d488a6a294fa02d4e9662fa9c73a9238cb490c1eac43

  • Size

    238KB

  • Sample

    231209-cby15seahr

  • MD5

    56f8612d6c1275d0d398610ff650e97e

  • SHA1

    939c49228c1bb5f841119e29063818dcb5b032f0

  • SHA256

    a93309c8c29169e4d7b5d488a6a294fa02d4e9662fa9c73a9238cb490c1eac43

  • SHA512

    e65eaa040dc04a402d2dce98fe3a752bfba5c2066355dcf573bc1e631e1df5fbcf25d6ab9a8e661374cbda53a876304bd7991f31407a31d558bb29a3e0c3900a

  • SSDEEP

    768:wwAbZSibMX9gRWjtwAbZSibMX9gRWj3WKeWJZOzJfnF2P:wwAlRkwAlRTKJQO

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6569205768:AAFWajgJdrA1uoTrZsNugbAxQG0czmFH64s/

Targets

    • Target

      a93309c8c29169e4d7b5d488a6a294fa02d4e9662fa9c73a9238cb490c1eac43

    • Size

      238KB

    • MD5

      56f8612d6c1275d0d398610ff650e97e

    • SHA1

      939c49228c1bb5f841119e29063818dcb5b032f0

    • SHA256

      a93309c8c29169e4d7b5d488a6a294fa02d4e9662fa9c73a9238cb490c1eac43

    • SHA512

      e65eaa040dc04a402d2dce98fe3a752bfba5c2066355dcf573bc1e631e1df5fbcf25d6ab9a8e661374cbda53a876304bd7991f31407a31d558bb29a3e0c3900a

    • SSDEEP

      768:wwAbZSibMX9gRWjtwAbZSibMX9gRWj3WKeWJZOzJfnF2P:wwAlRkwAlRTKJQO

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks