General

  • Target

    doc023561261500.bat

  • Size

    519KB

  • Sample

    240521-knp8rsfa76

  • MD5

    99f98edde22e283c0fd6e3e3100dc37c

  • SHA1

    207a8e62444fc70005fe2c3c114c94cf7bce492e

  • SHA256

    b4bbef6078f82d7abb9e090838f298c0c53a1671f57897b24c48d014a14de6b2

  • SHA512

    15fd99ebd8f93160360f55be29384a39ab9865815fec34b5c2f91917130f70d5dbbf34fc2067a221e5029bcacd9543f2847db97a1ff9fbd5191c38ee63f7eb82

  • SSDEEP

    12288:Q12/OjGeEWOFZkDA27HajpkZPe0epBkW78pg4xoylsFJJR7Vo:5/2GeEWOFZI7hZPehBkBx0Zo

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      doc023561261500.bat

    • Size

      519KB

    • MD5

      99f98edde22e283c0fd6e3e3100dc37c

    • SHA1

      207a8e62444fc70005fe2c3c114c94cf7bce492e

    • SHA256

      b4bbef6078f82d7abb9e090838f298c0c53a1671f57897b24c48d014a14de6b2

    • SHA512

      15fd99ebd8f93160360f55be29384a39ab9865815fec34b5c2f91917130f70d5dbbf34fc2067a221e5029bcacd9543f2847db97a1ff9fbd5191c38ee63f7eb82

    • SSDEEP

      12288:Q12/OjGeEWOFZkDA27HajpkZPe0epBkW78pg4xoylsFJJR7Vo:5/2GeEWOFZI7hZPehBkBx0Zo

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks