General

  • Target

    2156082a4e28c65689e951395aa84f5fdeb8b7e8b39acb61acf80ba199af0632

  • Size

    786KB

  • Sample

    240408-bvgerscg37

  • MD5

    2b7ce040579f182b8c63ab5984038586

  • SHA1

    174b5761db55cdbf5fba447fb5772cafbcef66df

  • SHA256

    2156082a4e28c65689e951395aa84f5fdeb8b7e8b39acb61acf80ba199af0632

  • SHA512

    5128a2cfdb4e14def232c0819a31aec2294f2768ff31c2e6044c6d9a3627bf1067b8bb5ea8a6bba0196a69fb00f3bd84c498e6e3136eda2cbc64150207254aef

  • SSDEEP

    12288:bsJvmJFUAQGEj67//rKG7Ah9SL1jdlQSBP9BYy9597IJXUxkx:IJvmrU7jjOrKG7A/G1B2SBFL59YAe

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      2156082a4e28c65689e951395aa84f5fdeb8b7e8b39acb61acf80ba199af0632

    • Size

      786KB

    • MD5

      2b7ce040579f182b8c63ab5984038586

    • SHA1

      174b5761db55cdbf5fba447fb5772cafbcef66df

    • SHA256

      2156082a4e28c65689e951395aa84f5fdeb8b7e8b39acb61acf80ba199af0632

    • SHA512

      5128a2cfdb4e14def232c0819a31aec2294f2768ff31c2e6044c6d9a3627bf1067b8bb5ea8a6bba0196a69fb00f3bd84c498e6e3136eda2cbc64150207254aef

    • SSDEEP

      12288:bsJvmJFUAQGEj67//rKG7Ah9SL1jdlQSBP9BYy9597IJXUxkx:IJvmrU7jjOrKG7A/G1B2SBFL59YAe

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      ac0f93b2dec82e9579bff14c8572a6c8

    • SHA1

      6460244317cbb77e342adb3561ec3acb496c84d5

    • SHA256

      3aa8e0abadefea2de58281198acfe48713a1d5b43aea5619f563cea098e9fd34

    • SHA512

      8055a6af150c45547927499f9cbf645d7f39c8e4f9caff4726fd711d2401abca01a79837095e5752b9f57b06446973ea6506796f2223bdb0179243d6e0575bd2

    • SSDEEP

      96:5OBtEB2flLkatAthPZJoi9jpfW/er6cBbcB/NFyVOHd0+u3wEX:5hB2flXAVJtjf6cBbcB/N8Ved0PJ

    Score
    3/10
    • Target

      Armeringen/Indlsningers/Viewably.Luk

    • Size

      58KB

    • MD5

      fa9fdfd55bab2c911783336c208665af

    • SHA1

      f7f4cdedc334a1050c0e8f649c085275d633ff7e

    • SHA256

      71671a408be5c07d907a66acbc416ed5a94b3b6b98ec043d615b9dad8bd27d39

    • SHA512

      464da697cee044bb412da4fd418081016fc5735957ad74788ce3508b1da531a07b5bd0abbc641de3f96222e866d6343d70c267e30ab472844b9efde0a0d5df8a

    • SSDEEP

      768:MKqRiafua4vlHYPgXRHV4gZ6RX/LhfvIsIp5+qkQH9kNcGGmL7UE3qkSrU24MeC0:6iaqlTXi/LhzIe9cG5EciU24IJdIoiau

    Score
    8/10
    • Modifies Installed Components in the registry

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks