General

  • Target

    f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exe

  • Size

    409KB

  • Sample

    240316-dj5dkaae7z

  • MD5

    a64f48e05fc7d21131ee7f86181413b0

  • SHA1

    5f34901b97296aa07e210810bbf75269a2701113

  • SHA256

    f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08

  • SHA512

    af4c41f4d6da19ef88b037ba8498057e5bff7460b4c7abc604652898ed775dc547e06627618d422e6f3396b7dbb6a9388f5db46c56d08dabf02b3df5e5355ff4

  • SSDEEP

    1536:jxGspx6tjTBchm0hOrtHhYJu6RlXKd+8kGoY5arTKyAWNHRjmz+4H444lM:1LUzAetBeW+8kGP5arTKyjxh4H444lM

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6359093814:AAF_EjsxYKPM2ufeJYS89EiAg_4CPa-HNlM/

Targets

    • Target

      f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exe

    • Size

      409KB

    • MD5

      a64f48e05fc7d21131ee7f86181413b0

    • SHA1

      5f34901b97296aa07e210810bbf75269a2701113

    • SHA256

      f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08

    • SHA512

      af4c41f4d6da19ef88b037ba8498057e5bff7460b4c7abc604652898ed775dc547e06627618d422e6f3396b7dbb6a9388f5db46c56d08dabf02b3df5e5355ff4

    • SSDEEP

      1536:jxGspx6tjTBchm0hOrtHhYJu6RlXKd+8kGoY5arTKyAWNHRjmz+4H444lM:1LUzAetBeW+8kGP5arTKyjxh4H444lM

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect ZGRat V1

    • PureLog Stealer

      PureLog Stealer is an infostealer written in C#.

    • PureLog Stealer payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks