General

  • Target

    5a24cf78cb6054ef0f93726c02aeb7c0d0b2e772b69fb1a9907b6ba8ef8f952e.exe

  • Size

    1.1MB

  • Sample

    240519-brl6vaba96

  • MD5

    2c4576ca7c0f8abeb6647ca51cd19b2c

  • SHA1

    cac2fdb51c878e8dec6e0f392281a3562ea9ecc0

  • SHA256

    5a24cf78cb6054ef0f93726c02aeb7c0d0b2e772b69fb1a9907b6ba8ef8f952e

  • SHA512

    998472adbb49895a2ee41b3f868b9c61b45bbcb3609296f234ff50fe391098e1c8f9e04c5cd5a14575ea268e229b3ffa8c73949fae4ac541bd7b614a83d6bb45

  • SSDEEP

    24576:6lMAYTFQBeU31HTh/OZHCeTcILzp6Od7b:6lMlTKsi1/OZMIM63

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7062542161:AAGTRYaovexgStrKeV0wI1K5scR6qGG6-3k/

Targets

    • Target

      5a24cf78cb6054ef0f93726c02aeb7c0d0b2e772b69fb1a9907b6ba8ef8f952e.exe

    • Size

      1.1MB

    • MD5

      2c4576ca7c0f8abeb6647ca51cd19b2c

    • SHA1

      cac2fdb51c878e8dec6e0f392281a3562ea9ecc0

    • SHA256

      5a24cf78cb6054ef0f93726c02aeb7c0d0b2e772b69fb1a9907b6ba8ef8f952e

    • SHA512

      998472adbb49895a2ee41b3f868b9c61b45bbcb3609296f234ff50fe391098e1c8f9e04c5cd5a14575ea268e229b3ffa8c73949fae4ac541bd7b614a83d6bb45

    • SSDEEP

      24576:6lMAYTFQBeU31HTh/OZHCeTcILzp6Od7b:6lMlTKsi1/OZMIM63

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • UAC bypass

    • Windows security bypass

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables packed with or use KoiVM

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Looks for VirtualBox Guest Additions in registry

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks