General

  • Target

    INVOICE07.zip

  • Size

    405KB

  • Sample

    240603-gwgd2sfd55

  • MD5

    df0ff896342439513f5ec45e6407acba

  • SHA1

    adcb3cda4d1e4484ac99b18494f4f4dcdae6f0b3

  • SHA256

    900686f955496fc4db8bd11b35a3b531e2ff9987d8c39349a8d6116029d3e5fd

  • SHA512

    7994dea452271d464a206c44614ab55da01b3b40212a2380bc6df8bf6127342249360ac71d2eead861c502234ee4524f7c2700456a7099efc7e13d32ec93eb00

  • SSDEEP

    12288:g1Hh1189ywvCCcdysbrQCqPdlH+Ol+8ZHM:kHPqc9jNQCqFl3+CM

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7135973864:AAGVqtrGeLysm0FYcz68sQIn3nL2a6CxjMc/

Targets

    • Target

      INVOICE07.bat

    • Size

      540KB

    • MD5

      1952a79579272db52a814baf57821f90

    • SHA1

      3fcfb6c3d2c08e840d758e905c2f304ec39ca9f3

    • SHA256

      e575145995f725fbaecc1b95c73ec0fbdad3117e1f492dc8d93ad076f5ad2da1

    • SHA512

      088de9db26c4eda94bb71a5379118418c06bcb46d8ccce7d1da2719c8d742e8347a4dfde9f73afbb362ef461a0af159408d9150adc8653f6e5a3507408eb6a93

    • SSDEEP

      12288:xToPjPt8r1cxIMTOQo5Xq4PpsXis9Jhqd8FJVqzT+53xH:xeWrOa4UaYpsXlJIdwSIZ

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks