General

  • Target

    Win Quick Config.exe

  • Size

    3.7MB

  • Sample

    240310-vzrwvahb23

  • MD5

    11a02e5a408789037713b8d54b1274c9

  • SHA1

    24c31db3ff856a855e9f3b99ccfa528809537b8c

  • SHA256

    3feaec930748c0217b9201c660288196dc972dddb85211224a21a282fba4650f

  • SHA512

    749cfc58be6d72200df5c07155006851e265a66f6dc5edf146ece91385bf6e3dd0268a2d94c9c381a7208b1fbdd10759cd6107466a167c272640322fa7f08026

  • SSDEEP

    98304:NonccIUbMpphLPEIccIUbMpphLPEUmF6L6NesezlkqXf0Fk82kBQJ:aNIUApphLJNIUApphLFy6L6NesepkSIa

Malware Config

Targets

    • Target

      Win Quick Config.exe

    • Size

      3.7MB

    • MD5

      11a02e5a408789037713b8d54b1274c9

    • SHA1

      24c31db3ff856a855e9f3b99ccfa528809537b8c

    • SHA256

      3feaec930748c0217b9201c660288196dc972dddb85211224a21a282fba4650f

    • SHA512

      749cfc58be6d72200df5c07155006851e265a66f6dc5edf146ece91385bf6e3dd0268a2d94c9c381a7208b1fbdd10759cd6107466a167c272640322fa7f08026

    • SSDEEP

      98304:NonccIUbMpphLPEIccIUbMpphLPEUmF6L6NesezlkqXf0Fk82kBQJ:aNIUApphLJNIUApphLFy6L6NesepkSIa

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • AgentTesla payload

    • Downloads MZ/PE file

    • Modifies RDP port number used by Windows

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Registers COM server for autorun

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks