General

  • Target

    88bfeceeb200400bc9279d710f24d6afae6297f6e702fb45075962acf0d7edd1

  • Size

    216KB

  • Sample

    240518-j9mjbsbe6z

  • MD5

    cd9ed63566302e6380bb39d26d3094c3

  • SHA1

    ceb5af2c40b9d3449c9a11e98d611816895c5ade

  • SHA256

    88bfeceeb200400bc9279d710f24d6afae6297f6e702fb45075962acf0d7edd1

  • SHA512

    f2c479a355d2867eb23403297e32f3c5cf45aeb85bdd991a0f9c67df11447f860f6c050ccb0d537b309ba596cc7f3ff551ac60584929a5649acf8cb1cf9e7098

  • SSDEEP

    6144:f41LCp1C9lEDVPtos9HbgrqtplNoinOwOM:osCGDVC6kG3Luw7

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      89dad71e8e344e1153817f221f9acf44bddb75941adae5c17a92a461ae1e8424.vbs

    • Size

      428KB

    • MD5

      b0e796537c6e8d5afd5d7bb3ae79966e

    • SHA1

      e590f3960ecc0addee9261c0a3619273ae31acc0

    • SHA256

      89dad71e8e344e1153817f221f9acf44bddb75941adae5c17a92a461ae1e8424

    • SHA512

      75da68f2a5a4ed08d86485c43524a4fbfc8ffcfbb05dda7d561f07a535f94ccdb7843480754818bfb07524d10bdbb68dbe54ed4b5576cb3e1aa5c7cb2cd29d26

    • SSDEEP

      6144:/R4t1fXGwzkAitPzmeI9OQYypkHkSVdtxQ+5iYgbAL0WMhw19+z0yhtHn9eq/+4o:/uJv0ayfOb64MRycngoavbN0vBrbu5+

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks