General
-
Target
0-13.eml
-
Size
831KB
-
Sample
240523-rvpzxaee27
-
MD5
6db92808a0b24eb310faf7a5aa440ce6
-
SHA1
e96bf9b8ef57280a02c9d06a68ea8526c19ba431
-
SHA256
8e24500c381c9abb77a1892a68e62f367852ff945e1bcbac379441e4fea772b1
-
SHA512
531524e6ea3df525119d16b97418b9a64a0d2526561b6b251a70e3b8ae24d6d28fb0b9405dbad0232cf59b8260d6505064b361d1871ca85db03494c402f2478f
-
SSDEEP
24576:qQFbx4Egi43IFPNFnFSiO0DifiQXvohVV77b:aEgiX5v3+c77b
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7116470912:AAFcUeHH1656vYbBtccMjQVal4iMak99ZmA/
Targets
-
-
Target
0-13.eml
-
Size
831KB
-
MD5
6db92808a0b24eb310faf7a5aa440ce6
-
SHA1
e96bf9b8ef57280a02c9d06a68ea8526c19ba431
-
SHA256
8e24500c381c9abb77a1892a68e62f367852ff945e1bcbac379441e4fea772b1
-
SHA512
531524e6ea3df525119d16b97418b9a64a0d2526561b6b251a70e3b8ae24d6d28fb0b9405dbad0232cf59b8260d6505064b361d1871ca85db03494c402f2478f
-
SSDEEP
24576:qQFbx4Egi43IFPNFnFSiO0DifiQXvohVV77b:aEgiX5v3+c77b
Score5/10-
Drops file in System32 directory
-
-
-
Target
Ach_Payment_Advice01.gz
-
Size
612KB
-
MD5
adf375448796e4d3f80067a25fe89f46
-
SHA1
cfc575914ca0ebe94abf5d89722f6fbfaa9e1ee9
-
SHA256
c992f916c0381e40b3849ad77534f0bb944e4e42283793fd7ac06e245cd43cef
-
SHA512
e98fa14ef9a55f05bc8f48cab97397d732c12154b12caaef0d8fd0e39d8fff5b22f865eb9f9ade221ac64840011f2bbf2361042be9fbabe2c7f398dd976c3dc3
-
SSDEEP
12288:RJCt63Yngjh38jpvNO1ShvoOJ/gf5jb0qy3QQ5tcGgU0fOYeWiKp6cgxA:G63cihMpFutYjtPEU0m3KIcH
Score3/10 -
-
-
Target
Ach_Payment_Advice01.exe
-
Size
689KB
-
MD5
eeb0a5f2f2e765bbe937e595ddd0650a
-
SHA1
2a5127e5fdf921547b4ec39e964682469573e1f6
-
SHA256
2869686380724afd713bbefc58c9aceabd90692e27d9de7af96e748b3066d8e9
-
SHA512
46f36ddb5d6dc37ac4d1d0388c87971933e8f8fae7de89d54483b5a900365c786b859b9b7fbd7f721a03ac03025ce800f5ee3ebcb67aa22442d8df1853456ee8
-
SSDEEP
12288:c5h2Xp96Wtlc5ingN/JuXdH7O18x3UObHgf5jFuq4XQM5taSw40fgYYMiwp68kxU:c5UXfvtlc5yC/adbChYjl9c40oRwI81
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
UAC bypass
-
Windows security bypass
-
Looks for VirtualBox Guest Additions in registry
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
-
-
Target
email-html-1.txt
-
Size
946B
-
MD5
90c7264fde86f0c788ecea131de65e16
-
SHA1
bfecdfcc84b0bf0c11522032ec04ed6836385bfd
-
SHA256
67a8037245ca5e31a99d8a7dd453c3049385829ec8c0f79c90377f6dffbb02b1
-
SHA512
8725786f9e9bd865088b0af532ac6c9ba2d8c6c019c14dc22cc868c17acc6284e7165c0fb7f322682fb9d48dc19c923ad7a37f1588bfb4dc2acbfe47d81c4949
Score1/10 -
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
6Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Virtualization/Sandbox Evasion
2Credential Access
Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1