General

  • Target

    c1f17712810a4cf0a12284d47e17b97f53edcf818993c50edc076ba3e7d9135d.exe

  • Size

    1.0MB

  • Sample

    240430-cac3aagh89

  • MD5

    bebe5907e39cdbd2a097c0325f6b12ed

  • SHA1

    8ebfa77700a40d7935e41c376c0f0962c62e1c5a

  • SHA256

    c1f17712810a4cf0a12284d47e17b97f53edcf818993c50edc076ba3e7d9135d

  • SHA512

    d107f99e99966d4f21e0ca363e80fe825cf3edc067eacf3eda68e1d8df846168809497d57336210070ddc68d9e4eb375f0d0f03bf7670e5cdf35817afd2d701c

  • SSDEEP

    24576:+AHnh+eWsN3skA4RV1Hom2KXMmHaNdYpcqO6p5:ph+ZkldoPK8YaNCOo

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      c1f17712810a4cf0a12284d47e17b97f53edcf818993c50edc076ba3e7d9135d.exe

    • Size

      1.0MB

    • MD5

      bebe5907e39cdbd2a097c0325f6b12ed

    • SHA1

      8ebfa77700a40d7935e41c376c0f0962c62e1c5a

    • SHA256

      c1f17712810a4cf0a12284d47e17b97f53edcf818993c50edc076ba3e7d9135d

    • SHA512

      d107f99e99966d4f21e0ca363e80fe825cf3edc067eacf3eda68e1d8df846168809497d57336210070ddc68d9e4eb375f0d0f03bf7670e5cdf35817afd2d701c

    • SSDEEP

      24576:+AHnh+eWsN3skA4RV1Hom2KXMmHaNdYpcqO6p5:ph+ZkldoPK8YaNCOo

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks