General

  • Target

    8b739e545fc95b979031b1d173680e40804cdfae954553daad04f865571072a5.zip

  • Size

    641KB

  • Sample

    240302-xw9nlagb9y

  • MD5

    a7d1e7b1834997d2453bf26f07d9d079

  • SHA1

    e15f0bef1745bbd0e26c93a03f9b9486d0a4e0ef

  • SHA256

    fa14d22ab6a4cadda750966351b22572a810913062f2cab8153eaa7aeff815bc

  • SHA512

    817c3887028d97767de750dac962b50e7304237cb8e29fbcf678753dcc5c803a965c5dcd8377fab37b4e25899f446ff761823b0a662d39762ece0e23e71d80f2

  • SSDEEP

    12288:tpwLK7A5mYqyQJWHJRb6StE3FP/UXu5zs7Z6L0ZGNAxmGYczdl1UXvZZyrHclW:tpwLK7XxYb6SmhouNs7ZbFjYiGDyrHcc

Malware Config

Targets

    • Target

      49136 E2K 610622871149136 E2K 6106228711.exe

    • Size

      804KB

    • MD5

      e8b61b099af93918a7d59477334471e0

    • SHA1

      a2ce7a730e96bf6c8f9cd512993fd67cf0c10767

    • SHA256

      e7456c57dba442a7e63f2bd45ff5be6c8168f2fcfd15c5e405536fb3bb212dcb

    • SHA512

      30b93418d244b71718a7fbf6683c27ac4bc799338f67d915367cb7cb5b93dab661b5b9071f49e055e9701d721ef3e788a0632adc062ecd32d1ffe225712bd855

    • SSDEEP

      12288:IYgBDMwdNEb40oLhLr1+vuYdCllN9cnUstwbvhz58lZNKXGLfR:IYgB7mINL/vbDci1p2d

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      kigtiqm.exe

    • Size

      872KB

    • MD5

      c56b5f0201a3b3de53e561fe76912bfd

    • SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

    • SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    • SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    • SSDEEP

      12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01

    Score
    3/10
    • Target

      xmnxoix.au3

    • Size

      4KB

    • MD5

      0d013f6baac0a09a1fb8e14217317503

    • SHA1

      453fba3488930e98d075946a31e5455b84eed5ba

    • SHA256

      0a78523b6163a8372ba64e5cc275d68f6582b7ca3a93e3163ad96251cc788d83

    • SHA512

      05032c4bbdc56992768a87ebaa9a9f43cb9092df401bb61a20673c1bec3a1f3fe4ee7c55c0572ceac9d862538ac765d0e0577cb63424c5edf137f7948feb8ced

    • SSDEEP

      96:8Qj+oh+0ddn/qEMA98SM/26Ai9qFnOnYPUub2:l+oh+0ddn/KA98//26Ao0Oyry

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks