General

  • Target

    2a0620b58f5efd4de19f069d071c16d0abe4023da27067ffc1ce379c8f2ea669

  • Size

    681KB

  • Sample

    240326-bq9whsbc48

  • MD5

    860b9067335d433b623a3462220c28dc

  • SHA1

    86864b5c5828f3dccd05fc1589708d5d191dbbaa

  • SHA256

    2a0620b58f5efd4de19f069d071c16d0abe4023da27067ffc1ce379c8f2ea669

  • SHA512

    61f254450638755b48344b4385d8b6ae46451e2365327edf1be1009782db5e87b3bea4cb608387fb1f220ae9408130f61aa532ec7e40544ad3a616a3db6e7040

  • SSDEEP

    12288:GXbLwUW7q3rIVWvsXR1sHXwRffux01/MHHoMxJfyu4hK:WbJCirXsh1IwRffuQSoMxcxK

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    shark.ipchina163.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    jmgL01XJb+IK

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      2a0620b58f5efd4de19f069d071c16d0abe4023da27067ffc1ce379c8f2ea669

    • Size

      681KB

    • MD5

      860b9067335d433b623a3462220c28dc

    • SHA1

      86864b5c5828f3dccd05fc1589708d5d191dbbaa

    • SHA256

      2a0620b58f5efd4de19f069d071c16d0abe4023da27067ffc1ce379c8f2ea669

    • SHA512

      61f254450638755b48344b4385d8b6ae46451e2365327edf1be1009782db5e87b3bea4cb608387fb1f220ae9408130f61aa532ec7e40544ad3a616a3db6e7040

    • SSDEEP

      12288:GXbLwUW7q3rIVWvsXR1sHXwRffux01/MHHoMxJfyu4hK:WbJCirXsh1IwRffuQSoMxcxK

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $WINDIR/ventrodorsally/tilslutningsklare.Phe

    • Size

      58KB

    • MD5

      64a1c85f036343ee0cd9e994aa9ac45f

    • SHA1

      dff7c8f201ed0616c23a0a6b9eb59cd2af2db85c

    • SHA256

      adfd2e99dbcc97e8b47ff1198f3ae372672354e4c01a0af3508575338531aaaa

    • SHA512

      5eedc49cf6c2a84c12117ccec4b5f282fead731311ac317fa9d3b016a26930a58278adcef1850692127eabbc56fb810fbd3129d99b9b0250079c4086e1c83e86

    • SSDEEP

      1536:5PyYVd6mqeUBmB7TQri0DGRfNhrrNqYbjazOv3+SLk9n:5xd6WUBqlr8AjDtLk9n

    Score
    8/10
    • Modifies Installed Components in the registry

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks