Resubmissions

23-05-2024 14:32

240523-rwr6naed5w 10

23-05-2024 14:31

240523-rvpzxaee27 10

23-05-2024 08:41

240523-klg5daba72 10

General

  • Target

    0-13.eml

  • Size

    831KB

  • Sample

    240523-rwr6naed5w

  • MD5

    6db92808a0b24eb310faf7a5aa440ce6

  • SHA1

    e96bf9b8ef57280a02c9d06a68ea8526c19ba431

  • SHA256

    8e24500c381c9abb77a1892a68e62f367852ff945e1bcbac379441e4fea772b1

  • SHA512

    531524e6ea3df525119d16b97418b9a64a0d2526561b6b251a70e3b8ae24d6d28fb0b9405dbad0232cf59b8260d6505064b361d1871ca85db03494c402f2478f

  • SSDEEP

    24576:qQFbx4Egi43IFPNFnFSiO0DifiQXvohVV77b:aEgiX5v3+c77b

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7116470912:AAFcUeHH1656vYbBtccMjQVal4iMak99ZmA/

Targets

    • Target

      0-13.eml

    • Size

      831KB

    • MD5

      6db92808a0b24eb310faf7a5aa440ce6

    • SHA1

      e96bf9b8ef57280a02c9d06a68ea8526c19ba431

    • SHA256

      8e24500c381c9abb77a1892a68e62f367852ff945e1bcbac379441e4fea772b1

    • SHA512

      531524e6ea3df525119d16b97418b9a64a0d2526561b6b251a70e3b8ae24d6d28fb0b9405dbad0232cf59b8260d6505064b361d1871ca85db03494c402f2478f

    • SSDEEP

      24576:qQFbx4Egi43IFPNFnFSiO0DifiQXvohVV77b:aEgiX5v3+c77b

    Score
    5/10
    • Drops file in System32 directory

    • Target

      Ach_Payment_Advice01.gz

    • Size

      612KB

    • MD5

      adf375448796e4d3f80067a25fe89f46

    • SHA1

      cfc575914ca0ebe94abf5d89722f6fbfaa9e1ee9

    • SHA256

      c992f916c0381e40b3849ad77534f0bb944e4e42283793fd7ac06e245cd43cef

    • SHA512

      e98fa14ef9a55f05bc8f48cab97397d732c12154b12caaef0d8fd0e39d8fff5b22f865eb9f9ade221ac64840011f2bbf2361042be9fbabe2c7f398dd976c3dc3

    • SSDEEP

      12288:RJCt63Yngjh38jpvNO1ShvoOJ/gf5jb0qy3QQ5tcGgU0fOYeWiKp6cgxA:G63cihMpFutYjtPEU0m3KIcH

    Score
    3/10
    • Target

      Ach_Payment_Advice01.exe

    • Size

      689KB

    • MD5

      eeb0a5f2f2e765bbe937e595ddd0650a

    • SHA1

      2a5127e5fdf921547b4ec39e964682469573e1f6

    • SHA256

      2869686380724afd713bbefc58c9aceabd90692e27d9de7af96e748b3066d8e9

    • SHA512

      46f36ddb5d6dc37ac4d1d0388c87971933e8f8fae7de89d54483b5a900365c786b859b9b7fbd7f721a03ac03025ce800f5ee3ebcb67aa22442d8df1853456ee8

    • SSDEEP

      12288:c5h2Xp96Wtlc5ingN/JuXdH7O18x3UObHgf5jFuq4XQM5taSw40fgYYMiwp68kxU:c5UXfvtlc5yC/adbChYjl9c40oRwI81

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • UAC bypass

    • Windows security bypass

    • Looks for VirtualBox Guest Additions in registry

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    • Target

      email-html-1.txt

    • Size

      946B

    • MD5

      90c7264fde86f0c788ecea131de65e16

    • SHA1

      bfecdfcc84b0bf0c11522032ec04ed6836385bfd

    • SHA256

      67a8037245ca5e31a99d8a7dd453c3049385829ec8c0f79c90377f6dffbb02b1

    • SHA512

      8725786f9e9bd865088b0af532ac6c9ba2d8c6c019c14dc22cc868c17acc6284e7165c0fb7f322682fb9d48dc19c923ad7a37f1588bfb4dc2acbfe47d81c4949

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks