General

  • Target

    d43caa8513d5c833150caaea54a56ebad2306f89cac3266d057d7f47282c1a11.img

  • Size

    1.2MB

  • Sample

    240523-r8gkpaeh84

  • MD5

    cdf2d0ec69cda136a182b17c4e272337

  • SHA1

    3821755c637e4b1bee6053dbbb8cddf26ab553e3

  • SHA256

    d43caa8513d5c833150caaea54a56ebad2306f89cac3266d057d7f47282c1a11

  • SHA512

    482ef8aa1120c6ee5e1b5d68a1d2e957a94fbb73c39ed3dcc0f0ceaa4b35a7b2c3d8116cdbd90458240cfa454f4fb7fb07443f8dcf62c3cacceee85d17fec060

  • SSDEEP

    192:3jY2yDwVFJs7R6/F53IYG8NJu0aTV/cFaFrmxpCz6cf:1/Jh/FNImyfTV/xrmxpCz6c

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      SKIIP 83EC125T1 22-0-05-24RQ.vbs

    • Size

      5KB

    • MD5

      62bc79cdf5d55f891ae6d2a662cb87fc

    • SHA1

      2ab352feb12da98eca4c5ec9ce4b349f5731ab50

    • SHA256

      d14ef42bd2f3ecb7ff2e7ea8b7fd79b06f5b048c2f181381b5f8b790b7228f3b

    • SHA512

      1335d32fa999b5f3729f0b94caf214e09b78c9f3108c05e8fb6fddb828f7d8049a17c2e1b72ca12203ebdda0141d22c326e1986057677fdb9efe6970638c7db2

    • SSDEEP

      96:QsLisJvmYz2W6/F5J9eI8L7YMH8NJPW0agOVTLU5VFPB5Gv9rmJ/pCz6cfp:QJs7R6/F53IYG8NJu0aTV/cFaFrmxpCv

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Command and Control

Web Service

1
T1102

Tasks