General

  • Target

    b48a14f185cfd77e01733db2837277db8f47d04f77e6ac7093f0a88927a115fc.exe

  • Size

    1.3MB

  • Sample

    240427-bzkmzshb8x

  • MD5

    280ae1955701d5f84f59ef9f5b8c7412

  • SHA1

    6651afec36ec273a284886892bb22050c3f9931e

  • SHA256

    b48a14f185cfd77e01733db2837277db8f47d04f77e6ac7093f0a88927a115fc

  • SHA512

    e08e57ff1d43ae83451ee99844a7e755ffd3d46f972fbbb8f8779e01413e65fe27cec6701e356a0bc010b827a73045b77b44db098385109f0fa6efd52e9262ed

  • SSDEEP

    24576:ksP3iN7BBmctIoM9jyTPom1msR2vzqtk9Cc2eWhCM6aHay1f5t:kpFBmcm56wGmXv2qYIWQba68D

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.medicalhome.com.pe
  • Port:
    587
  • Username:
    info@medicalhome.com.pe
  • Password:
    MHinfo01
  • Email To:
    og.bahd@yandex.ru

Targets

    • Target

      b48a14f185cfd77e01733db2837277db8f47d04f77e6ac7093f0a88927a115fc.exe

    • Size

      1.3MB

    • MD5

      280ae1955701d5f84f59ef9f5b8c7412

    • SHA1

      6651afec36ec273a284886892bb22050c3f9931e

    • SHA256

      b48a14f185cfd77e01733db2837277db8f47d04f77e6ac7093f0a88927a115fc

    • SHA512

      e08e57ff1d43ae83451ee99844a7e755ffd3d46f972fbbb8f8779e01413e65fe27cec6701e356a0bc010b827a73045b77b44db098385109f0fa6efd52e9262ed

    • SSDEEP

      24576:ksP3iN7BBmctIoM9jyTPom1msR2vzqtk9Cc2eWhCM6aHay1f5t:kpFBmcm56wGmXv2qYIWQba68D

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables packed with or use KoiVM

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Tasks