General

  • Target

    b7a0650b0c735306e905d5f11a676a63bfa193ee6befef519d890dc4197b76c7

  • Size

    556KB

  • Sample

    240326-bs3j8abc64

  • MD5

    5ad4304f5339ad1ef6517bc8a98e77a0

  • SHA1

    231ff64e77b60ea34dde49a9ae220124c8232084

  • SHA256

    b7a0650b0c735306e905d5f11a676a63bfa193ee6befef519d890dc4197b76c7

  • SHA512

    a357d8b9b31cbc1148d424e98bec21c27e9a6fb4cf4f61159bd90051e608a511a3227651b271d03fd83513499bb92adffb741dc2f1a17896f4812aaf38e40e47

  • SSDEEP

    12288:XRpErqjRdFy/8hqQu9RSFwmQY/iIfu+OJEsJLggzOdB/:I/y+Z/Y6GuLJEqMgzOdR

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7067189439:AAGiycb7fUr8kAg9CwwJdg2FmcjxTPM4QdE/

Targets

    • Target

      navda_br-_700611_-_C.E.F.exe

    • Size

      666KB

    • MD5

      488f7c46fd3b3068282b18b18e964623

    • SHA1

      d37bbb31a49e3f2a822439dc60750389520a3e70

    • SHA256

      36dc6d69051881463f748304e078d41ae15599020eead2297881826113321022

    • SHA512

      a6ff8d7f5a9d63d6dede1c09de8f45f77948b0be2330b88c9e55c5d851d5a7afd297c7481f5483695681379c989107b0aec6aa9e630de9123acf89deca9bdcad

    • SSDEEP

      12288:FLTA8PHO5mU0It6TIhEQIJtuFmCQYziILm+OD5+I3/:9TA8PO5mU16T+YFTYOOmLD3

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      Raskmeldingen/Skibsrederier249/Prezone.Lge

    • Size

      58KB

    • MD5

      d9c5f2e8ea0f8260741b494f3df7e200

    • SHA1

      a833e08e3fafe2bf44c05bbcf69b1b9c76552682

    • SHA256

      0c607fc96e393946eee8c2f79da678e2d91744a931286e8fa9bdd7909b9e5f6e

    • SHA512

      09f4e7a2a7686e5bcdd8e333f8572fac2423ba5f991407d127d2183119fcbb4a157e6c856305106f4e09235b40840c6b4183ab40000073248016395198eb6df6

    • SSDEEP

      1536:3kXcwGyxS/JUMb2YvsTzywLR/SjPCnS4yqxZejyPjZVCZlr:3kXcWxS2M+g6XxXyr

    Score
    8/10
    • Modifies Installed Components in the registry

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks