General

  • Target

    d49345704d39dce3913c9b225eaa3c1fe2345e789835d2a86e80617c123dc186.exe

  • Size

    421KB

  • Sample

    240430-cc3eyshe9z

  • MD5

    7d862c6c31821657aa0877079a5c4be5

  • SHA1

    2a97fb40ca8824d4e6aa1a581e3f47290490d67c

  • SHA256

    d49345704d39dce3913c9b225eaa3c1fe2345e789835d2a86e80617c123dc186

  • SHA512

    f36c4d703667b2e19fa2d4952eabea31c112977d96e13b61b7a2c95e63b821fa75ef0f32a524c130824481ab9f4319b97e491a87b155e64a9be7130760f76f57

  • SSDEEP

    6144:/9X0GEh9EyWfqG2ts8KYV/i43TsgyT4O/f/KNL6Cac1YYwAL01r/x47yXnp1nOAp:J0VEsvPZG/XU2gYVALy/O7anp1OUXd

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      d49345704d39dce3913c9b225eaa3c1fe2345e789835d2a86e80617c123dc186.exe

    • Size

      421KB

    • MD5

      7d862c6c31821657aa0877079a5c4be5

    • SHA1

      2a97fb40ca8824d4e6aa1a581e3f47290490d67c

    • SHA256

      d49345704d39dce3913c9b225eaa3c1fe2345e789835d2a86e80617c123dc186

    • SHA512

      f36c4d703667b2e19fa2d4952eabea31c112977d96e13b61b7a2c95e63b821fa75ef0f32a524c130824481ab9f4319b97e491a87b155e64a9be7130760f76f57

    • SSDEEP

      6144:/9X0GEh9EyWfqG2ts8KYV/i43TsgyT4O/f/KNL6Cac1YYwAL01r/x47yXnp1nOAp:J0VEsvPZG/XU2gYVALy/O7anp1OUXd

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      34442e1e0c2870341df55e1b7b3cccdc

    • SHA1

      99b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c

    • SHA256

      269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1

    • SHA512

      4a8c57fb12997438b488b862f3fc9dc0f236e07bb47b2bce6053dcb03ac7ad171842f02ac749f02dda4719c681d186330524cd2953d33cb50854844e74b33d51

    • SSDEEP

      192:jPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4I:u7VpNo8gmOyRsVc4

    Score
    3/10
    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      ac0f93b2dec82e9579bff14c8572a6c8

    • SHA1

      6460244317cbb77e342adb3561ec3acb496c84d5

    • SHA256

      3aa8e0abadefea2de58281198acfe48713a1d5b43aea5619f563cea098e9fd34

    • SHA512

      8055a6af150c45547927499f9cbf645d7f39c8e4f9caff4726fd711d2401abca01a79837095e5752b9f57b06446973ea6506796f2223bdb0179243d6e0575bd2

    • SSDEEP

      96:5OBtEB2flLkatAthPZJoi9jpfW/er6cBbcB/NFyVOHd0+u3wEX:5hB2flXAVJtjf6cBbcB/N8Ved0PJ

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks