General

  • Target

    InvoiceConfirmation3.zip

  • Size

    406KB

  • Sample

    240603-gwgd2sfd56

  • MD5

    69d36048666b6f03ea5e438917f6bac7

  • SHA1

    b1ab60817b5f7621f5e544c2f9d36b93c71ef47b

  • SHA256

    2ad94e138bd981332c443cfac96788ed71ad74e9073c9ee5fedbe6d21c2dc201

  • SHA512

    7c62c5eb98fbbc8e5169fb17e04ff060310bcd5c043758f76a6871f5c9df770c8b694850391f75080f78aa7239e918bd14fc6e279fb3f86a2578edb0bc4753e1

  • SSDEEP

    12288:H39HGi5zxXxTqGe/2Z/Ss1l4h0JvWjd2hEuvmt8Ez:pGi5dw58Sql4hKujd2auuJz

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7135973864:AAGVqtrGeLysm0FYcz68sQIn3nL2a6CxjMc/

Targets

    • Target

      InvoiceConfirmation3.bat

    • Size

      540KB

    • MD5

      af29b01f9517f84f7d1794a3c5a987d5

    • SHA1

      17f8776ea38c0eb07915cf1ab4e52a2c87ec70cd

    • SHA256

      18ff8049e5eac05d3f1bf7d414664845edd76f5393630aa463566476e45b9985

    • SHA512

      29afff43ff59985eb4d65463cf7b8eaa6a82ae508cce66222707cab084d25bed77a45b7f85ec13e91545827f76bde014794b7ccf77f0df44b815df6b8d76953d

    • SSDEEP

      12288:2Nu+DeVdU51H++iCBdiQslfVMLOzcU+MEJXMHwXUIXkZsCSbluwG9XJec8SmC:t+aVK51HzBdeqLOIM8XfUXFYk7

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks