General

  • Target

    1b3bc0613f79431889a1452b050b467ab0c5eabe979c6278f73982ff5f5a4b00.exe

  • Size

    1.0MB

  • Sample

    240519-bf3pfsac83

  • MD5

    e77cf047d33d9bed9d10494ed11c68f1

  • SHA1

    b6dfe123d998dc453d4263b5876414d1825a07a8

  • SHA256

    1b3bc0613f79431889a1452b050b467ab0c5eabe979c6278f73982ff5f5a4b00

  • SHA512

    b8797aec5bda5fae2b0423c53106dd2c6d3770fb9a72d7d6997a6741353a9fb6634e6c0a468655fe98efd0e0eddd73831b0ad56d3a40948c006ad2f6096ed52d

  • SSDEEP

    24576:V74FSZ6wPMZ82ZtSgSJDuyWqM5Wb+EjbL:148ACMZ82ZkgDyo2Jr

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6941402653:AAGD6Af00jBZM3CSU3pjKxYbW7aazMmc_10/

Targets

    • Target

      1b3bc0613f79431889a1452b050b467ab0c5eabe979c6278f73982ff5f5a4b00.exe

    • Size

      1.0MB

    • MD5

      e77cf047d33d9bed9d10494ed11c68f1

    • SHA1

      b6dfe123d998dc453d4263b5876414d1825a07a8

    • SHA256

      1b3bc0613f79431889a1452b050b467ab0c5eabe979c6278f73982ff5f5a4b00

    • SHA512

      b8797aec5bda5fae2b0423c53106dd2c6d3770fb9a72d7d6997a6741353a9fb6634e6c0a468655fe98efd0e0eddd73831b0ad56d3a40948c006ad2f6096ed52d

    • SSDEEP

      24576:V74FSZ6wPMZ82ZtSgSJDuyWqM5Wb+EjbL:148ACMZ82ZkgDyo2Jr

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • UAC bypass

    • Windows security bypass

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables packed with or use KoiVM

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks