General

  • Target

    b984e4e98a5906f2e4aa6eece57527d0410bbf7faa5d01c33fc280a6f87d3546.exe

  • Size

    800KB

  • Sample

    240323-cygqdacd38

  • MD5

    c0644a075912eda8c219f81fc25d80a2

  • SHA1

    a475519e2cade20a5d5614ab5fc66c637a1f7996

  • SHA256

    b984e4e98a5906f2e4aa6eece57527d0410bbf7faa5d01c33fc280a6f87d3546

  • SHA512

    06f4ae192a31d43925c62b247ac3a1f4d418b995a7d9635841779def617311b01f516be5753c5cb5b033e2ba19b5e794defe86ad840e1bb0ca77cd2efca9e8df

  • SSDEEP

    12288:ghUQmD3ceDqZWJPgCls1bINQhysTF82jb+OSX4S4AGrsEqleoGoOX:ghUD3cZWJ4DbcQrTFDa+rsLko

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7095947285:AAH0OAWsNNNRaRk-0tgESWW6mHr4jwUMS9o/

Targets

    • Target

      b984e4e98a5906f2e4aa6eece57527d0410bbf7faa5d01c33fc280a6f87d3546.exe

    • Size

      800KB

    • MD5

      c0644a075912eda8c219f81fc25d80a2

    • SHA1

      a475519e2cade20a5d5614ab5fc66c637a1f7996

    • SHA256

      b984e4e98a5906f2e4aa6eece57527d0410bbf7faa5d01c33fc280a6f87d3546

    • SHA512

      06f4ae192a31d43925c62b247ac3a1f4d418b995a7d9635841779def617311b01f516be5753c5cb5b033e2ba19b5e794defe86ad840e1bb0ca77cd2efca9e8df

    • SSDEEP

      12288:ghUQmD3ceDqZWJPgCls1bINQhysTF82jb+OSX4S4AGrsEqleoGoOX:ghUD3cZWJ4DbcQrTFDa+rsLko

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      Brk/Fugios/Vrdiforskydninger182.Ten

    • Size

      56KB

    • MD5

      5f0458117d15429d0a8cb5544cb084d5

    • SHA1

      fce6bebe095f0cf2698d0564506a91b57f6ec99d

    • SHA256

      c76d95cb1b49ebefb7510949fd5ee28cae43ddd3ba5ac813ba5e7c37034e5e84

    • SHA512

      17df9360603bdcc81a108e4be3710f7fe92cee99c89d70e14694a19d418505b79723d21543c3a47113347021c100832acb17edd0a90d65b207ffc0ad24638246

    • SSDEEP

      1536:8g68dHlKhcHMxCeFd6CNQxEVD0ZnFaChFe:B68Ohcsxfd6Wr4bo

    Score
    8/10
    • Modifies Installed Components in the registry

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks