General

  • Target

    Attachments.zip

  • Size

    1.2MB

  • Sample

    240603-gwf4aaec2x

  • MD5

    44c2e011bdabe4e9fc09a4029a5c6c1b

  • SHA1

    cac39bdb40b24f5b662b4928fc0ea1bd2faee903

  • SHA256

    adc82b873e8b21669e2d4cd73377a61e1d002ca8536502160603434424c13e02

  • SHA512

    0f3635e880de56ddcf5b8fcb27f5e35dd97728b5bd3186c194eee682e8a8983f180da9fb1e54841491af0f88fba7a920a99993f6a231cc65686b3410b47e449f

  • SSDEEP

    24576:HkJJZxq8kV1K/wshQdUNJA6kTumSH/c0xFfQCYpTfOL7Gy5dw56SqzmhaMjdGkuA:Hhk/wshjRka3c0xFfKT2LqygFqQasuu5

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7135973864:AAGVqtrGeLysm0FYcz68sQIn3nL2a6CxjMc/

Targets

    • Target

      INVOICE07.bat

    • Size

      540KB

    • MD5

      1952a79579272db52a814baf57821f90

    • SHA1

      3fcfb6c3d2c08e840d758e905c2f304ec39ca9f3

    • SHA256

      e575145995f725fbaecc1b95c73ec0fbdad3117e1f492dc8d93ad076f5ad2da1

    • SHA512

      088de9db26c4eda94bb71a5379118418c06bcb46d8ccce7d1da2719c8d742e8347a4dfde9f73afbb362ef461a0af159408d9150adc8653f6e5a3507408eb6a93

    • SSDEEP

      12288:xToPjPt8r1cxIMTOQo5Xq4PpsXis9Jhqd8FJVqzT+53xH:xeWrOa4UaYpsXlJIdwSIZ

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      INVOICE07.bat

    • Size

      540KB

    • MD5

      1952a79579272db52a814baf57821f90

    • SHA1

      3fcfb6c3d2c08e840d758e905c2f304ec39ca9f3

    • SHA256

      e575145995f725fbaecc1b95c73ec0fbdad3117e1f492dc8d93ad076f5ad2da1

    • SHA512

      088de9db26c4eda94bb71a5379118418c06bcb46d8ccce7d1da2719c8d742e8347a4dfde9f73afbb362ef461a0af159408d9150adc8653f6e5a3507408eb6a93

    • SSDEEP

      12288:xToPjPt8r1cxIMTOQo5Xq4PpsXis9Jhqd8FJVqzT+53xH:xeWrOa4UaYpsXlJIdwSIZ

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      InvoiceConfirmation3.bat

    • Size

      540KB

    • MD5

      af29b01f9517f84f7d1794a3c5a987d5

    • SHA1

      17f8776ea38c0eb07915cf1ab4e52a2c87ec70cd

    • SHA256

      18ff8049e5eac05d3f1bf7d414664845edd76f5393630aa463566476e45b9985

    • SHA512

      29afff43ff59985eb4d65463cf7b8eaa6a82ae508cce66222707cab084d25bed77a45b7f85ec13e91545827f76bde014794b7ccf77f0df44b815df6b8d76953d

    • SSDEEP

      12288:2Nu+DeVdU51H++iCBdiQslfVMLOzcU+MEJXMHwXUIXkZsCSbluwG9XJec8SmC:t+aVK51HzBdeqLOIM8XfUXFYk7

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks