General

  • Target

    2fb680ad3d71082b098f86c2e0951771327e41f3f91f8e985fd5af4a3e19afb5

  • Size

    419KB

  • Sample

    240522-wt77babe4x

  • MD5

    b42c1ef915b84e3d0bbb1195eb4b2eca

  • SHA1

    adb82027b3418dc70226f3eb0c8a562b5c82f839

  • SHA256

    2fb680ad3d71082b098f86c2e0951771327e41f3f91f8e985fd5af4a3e19afb5

  • SHA512

    a3d5ff235e15c1168983266fb4a4252af11f720bf3a1069cb2dce6373972359e5a75e81f546d9cc33d6c84c158b56b008a52fec904074f8269f4d5ce37a496fd

  • SSDEEP

    6144:/9X0GEh9EyWfqG2ts8KYV/i43TsgyT4O/f/KNC8pb+P+AoJb0EerVrBETw0Augjo:J0VEsvPZG/XUC8pU+AoB+VrBET10o

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      2fb680ad3d71082b098f86c2e0951771327e41f3f91f8e985fd5af4a3e19afb5

    • Size

      419KB

    • MD5

      b42c1ef915b84e3d0bbb1195eb4b2eca

    • SHA1

      adb82027b3418dc70226f3eb0c8a562b5c82f839

    • SHA256

      2fb680ad3d71082b098f86c2e0951771327e41f3f91f8e985fd5af4a3e19afb5

    • SHA512

      a3d5ff235e15c1168983266fb4a4252af11f720bf3a1069cb2dce6373972359e5a75e81f546d9cc33d6c84c158b56b008a52fec904074f8269f4d5ce37a496fd

    • SSDEEP

      6144:/9X0GEh9EyWfqG2ts8KYV/i43TsgyT4O/f/KNC8pb+P+AoJb0EerVrBETw0Augjo:J0VEsvPZG/XUC8pU+AoB+VrBET10o

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      34442e1e0c2870341df55e1b7b3cccdc

    • SHA1

      99b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c

    • SHA256

      269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1

    • SHA512

      4a8c57fb12997438b488b862f3fc9dc0f236e07bb47b2bce6053dcb03ac7ad171842f02ac749f02dda4719c681d186330524cd2953d33cb50854844e74b33d51

    • SSDEEP

      192:jPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4I:u7VpNo8gmOyRsVc4

    Score
    3/10
    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      ac0f93b2dec82e9579bff14c8572a6c8

    • SHA1

      6460244317cbb77e342adb3561ec3acb496c84d5

    • SHA256

      3aa8e0abadefea2de58281198acfe48713a1d5b43aea5619f563cea098e9fd34

    • SHA512

      8055a6af150c45547927499f9cbf645d7f39c8e4f9caff4726fd711d2401abca01a79837095e5752b9f57b06446973ea6506796f2223bdb0179243d6e0575bd2

    • SSDEEP

      96:5OBtEB2flLkatAthPZJoi9jpfW/er6cBbcB/NFyVOHd0+u3wEX:5hB2flXAVJtjf6cBbcB/N8Ved0PJ

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks