General

  • Target

    15477_9153a8b3b10c014b57d836be98255e8747f3ee4d933c8ed1980cde09d5dec0e9.zip

  • Size

    50KB

  • Sample

    240321-nre4raca3z

  • MD5

    3386b0e621582e37fdeadd04f82938b8

  • SHA1

    1d3f53740da80b39ce28f27dffa86335ae95e629

  • SHA256

    2d31b1612fd5bbad0e5cc10b19d0606af78cc1ca000f3857bedebdbe56847a08

  • SHA512

    f3596175a24e596cb55eb2eabdc137430356955faecb7a3ffd61dad405be93b5128bf099f833df01afb04585c3b2ab688eee33b6b6d720754076076a94e88859

  • SSDEEP

    768:msKA7RYuZTJAZEBN6j23VThMSjZ1sepH8a3Ah//EOHT/1q52k8bHu9GhVbO6A0Q2:m3AttJAZb63VTa8Vpc7p/bqT8bRhFZZN

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7065574915:AAGqdyBoQ1HUjGuLPU7BdeGxB07q15OCF18/

Targets

    • Target

      9153a8b3b10c014b57d836be98255e8747f3ee4d933c8ed1980cde09d5dec0e9

    • Size

      448KB

    • MD5

      241036b62b644433eeda9f4bf4c8dc40

    • SHA1

      57e00fd86695049639168c22fb5bb9ab9136a7fe

    • SHA256

      9153a8b3b10c014b57d836be98255e8747f3ee4d933c8ed1980cde09d5dec0e9

    • SHA512

      28097d26167483c9dc57230875bd551985278fb452ba74e7e0914ddb9c3894ff27e7cf088b6b2cdbb2054a52001c540c3c89119b010e9f3201ec4e284b96dae1

    • SSDEEP

      3072:HS6MBoglFU8uT14K5BjWUzpsYyjxh4H444lM:H8BoO+T4KOO6f4H444l

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect ZGRat V1

    • PureLog Stealer

      PureLog Stealer is an infostealer written in C#.

    • PureLog Stealer payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks