General

  • Target

    b7128db8d1ce07b5f67c861bc3bb5e78e80563fca8c6862bf799247683e7670f.exe

  • Size

    2.5MB

  • Sample

    240317-cpy83ace8t

  • MD5

    6126547ab734fb6d59c9689d6e97e0b1

  • SHA1

    dc62f31b70f43717215f671363249430aac93350

  • SHA256

    b7128db8d1ce07b5f67c861bc3bb5e78e80563fca8c6862bf799247683e7670f

  • SHA512

    8e0136b24336c9b423c1701bb15c85ef1cb424e92423d160e0e0de597bceaa67b476778775bed9b2d330bdc688be15e84a1ca8b1c4940f5367d0e1105e3cc8ed

  • SSDEEP

    49152:bu5meHYWZgAeRrncr4Er3we2sNh4hOtNTdFf4H444lR:bSmceZcMEPdHh4H444lR

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      b7128db8d1ce07b5f67c861bc3bb5e78e80563fca8c6862bf799247683e7670f.exe

    • Size

      2.5MB

    • MD5

      6126547ab734fb6d59c9689d6e97e0b1

    • SHA1

      dc62f31b70f43717215f671363249430aac93350

    • SHA256

      b7128db8d1ce07b5f67c861bc3bb5e78e80563fca8c6862bf799247683e7670f

    • SHA512

      8e0136b24336c9b423c1701bb15c85ef1cb424e92423d160e0e0de597bceaa67b476778775bed9b2d330bdc688be15e84a1ca8b1c4940f5367d0e1105e3cc8ed

    • SSDEEP

      49152:bu5meHYWZgAeRrncr4Er3we2sNh4hOtNTdFf4H444lR:bSmceZcMEPdHh4H444lR

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect ZGRat V1

    • PureLog Stealer

      PureLog Stealer is an infostealer written in C#.

    • PureLog Stealer payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks