Resubmissions

23/02/2024, 12:10

240223-pb4ylsga55 10

22/02/2024, 22:07

240222-11m7yagb33 10

22/02/2024, 21:43

240222-1k1hbsfh37 10

General

  • Target

    Proforma fatura.msg

  • Size

    49KB

  • Sample

    240223-pb4ylsga55

  • MD5

    36295a4ab503049b1440a9f055697f0d

  • SHA1

    ea0ef251142eab81978cd972415810d7c0d6f02d

  • SHA256

    307119554d57a79005b8b76c692ff226ca961b17f7f9ad0d43590556632d3745

  • SHA512

    37ade30a49967a1f358c2b888f66181e1a8158ceeddcb81c55e0aa44923764b12fc4cb8a51988a42dd2a56c0f33119a8eed76afcc4e7709372fb3cc4febd095a

  • SSDEEP

    768:1GuV05mXur1ABsZLSB8CA0J3sKHsK99Rh5ETBsIwIDpa:fe4ZhPBh5ETBsYp

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6981023497:AAHl8hNT6c3ywQtrLSswit8gBAF4M9xCAZU/

Targets

    • Target

      Proforma fatura.msg

    • Size

      49KB

    • MD5

      36295a4ab503049b1440a9f055697f0d

    • SHA1

      ea0ef251142eab81978cd972415810d7c0d6f02d

    • SHA256

      307119554d57a79005b8b76c692ff226ca961b17f7f9ad0d43590556632d3745

    • SHA512

      37ade30a49967a1f358c2b888f66181e1a8158ceeddcb81c55e0aa44923764b12fc4cb8a51988a42dd2a56c0f33119a8eed76afcc4e7709372fb3cc4febd095a

    • SSDEEP

      768:1GuV05mXur1ABsZLSB8CA0J3sKHsK99Rh5ETBsIwIDpa:fe4ZhPBh5ETBsYp

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      Proforma fatura.PNG

    • Size

      7KB

    • MD5

      b8b637cb0bce40a5bfa4ee480016e73d

    • SHA1

      ec25504dba1dc470f7e3c2391ffa799d6de97b6a

    • SHA256

      422d39122b002e41f18a2f0045ac9dd187fcca567cfae4482f0f6f77e9cdf6d9

    • SHA512

      ffea9772d151b4d606f3a0e4e6a705b587b0ac4153a3cf63a725abb785ea813cdd11bbd6a7fb0735798501dc3128f7afe88866e2d2733088e551c8414bdfbcc7

    • SSDEEP

      192:vaHZD1oYEotG1MY5vYl+mIm9IvkmheX/ymYDn:6ZDyYE0+MYsIwIvkmheXqVn

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks