General

  • Target

    731adf7ac51c45d16b4eabb8a2cba5789498f52e355cbe278cb54172ecc884f2

  • Size

    500KB

  • Sample

    240322-cpxegafb44

  • MD5

    e50c647ade760bb34458f4a23458da14

  • SHA1

    cc1f2cebabc8fb3208818b2028b18b0040e2c229

  • SHA256

    731adf7ac51c45d16b4eabb8a2cba5789498f52e355cbe278cb54172ecc884f2

  • SHA512

    01b4dc95023981513e8912b37c5ba5aa6b9c232c8c80dbd50e6930c9b9a334a9ea3c09b87c978a22c18f1251488e32b639780d5f749b1067cfab11f29319c5c3

  • SSDEEP

    3072:/S6MBoglFU8uT14K5BjWUzpsYyjxh4H444lM:/8BoO+T4KOO6f4H444l

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7065574915:AAGqdyBoQ1HUjGuLPU7BdeGxB07q15OCF18/

Targets

    • Target

      1C24TNN_00000014.exe

    • Size

      448KB

    • MD5

      241036b62b644433eeda9f4bf4c8dc40

    • SHA1

      57e00fd86695049639168c22fb5bb9ab9136a7fe

    • SHA256

      9153a8b3b10c014b57d836be98255e8747f3ee4d933c8ed1980cde09d5dec0e9

    • SHA512

      28097d26167483c9dc57230875bd551985278fb452ba74e7e0914ddb9c3894ff27e7cf088b6b2cdbb2054a52001c540c3c89119b010e9f3201ec4e284b96dae1

    • SSDEEP

      3072:HS6MBoglFU8uT14K5BjWUzpsYyjxh4H444lM:H8BoO+T4KOO6f4H444l

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect ZGRat V1

    • PureLog Stealer

      PureLog Stealer is an infostealer written in C#.

    • PureLog Stealer payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks