General

  • Target

    3b8974abc5bd12b5dc5c5438f83f262ba8c4c01efcee9a95932d98b8817a35cb

  • Size

    587KB

  • Sample

    231209-cfm5faffd2

  • MD5

    62bcb2a5e85045733c1317675ede5529

  • SHA1

    07f5e3a4d0ae03182b7553d1bb5af738624745d7

  • SHA256

    3b8974abc5bd12b5dc5c5438f83f262ba8c4c01efcee9a95932d98b8817a35cb

  • SHA512

    25904446bfa10fb0c5194250d71c86a6045f5ed1f3882d224b1933644d8e09ddbaec773fb890c298edb527c778ec7f538d021691475dfae6b0b0846eaf43329f

  • SSDEEP

    12288:GxPgUrdBpK8vNhdyzpeG6MqgsrUWaCX0uvSGF:Ov/vNhMqd/Sk

Malware Config

Targets

    • Target

      3b8974abc5bd12b5dc5c5438f83f262ba8c4c01efcee9a95932d98b8817a35cb

    • Size

      587KB

    • MD5

      62bcb2a5e85045733c1317675ede5529

    • SHA1

      07f5e3a4d0ae03182b7553d1bb5af738624745d7

    • SHA256

      3b8974abc5bd12b5dc5c5438f83f262ba8c4c01efcee9a95932d98b8817a35cb

    • SHA512

      25904446bfa10fb0c5194250d71c86a6045f5ed1f3882d224b1933644d8e09ddbaec773fb890c298edb527c778ec7f538d021691475dfae6b0b0846eaf43329f

    • SSDEEP

      12288:GxPgUrdBpK8vNhdyzpeG6MqgsrUWaCX0uvSGF:Ov/vNhMqd/Sk

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks