General

  • Target

    b2e8f6340ca878d0c0a82b6ec6a7d88d9e2dfc6cf72f81bda974d888f95f1713.exe

  • Size

    3.1MB

  • Sample

    240604-b7n1dahh26

  • MD5

    078bbe7eaeaf7e7cc2ed22c372de38c4

  • SHA1

    d27576bb00da17e68f302f4408a74f32e96fc267

  • SHA256

    b2e8f6340ca878d0c0a82b6ec6a7d88d9e2dfc6cf72f81bda974d888f95f1713

  • SHA512

    2f31282dca1ef9e01c75161f71870871959a3943c0e8b8d73308f237a90875d8ac8583994dc636bb359997c84039805d8d45d44e55635eae9d80dea7729cd0fc

  • SSDEEP

    49152:u8yJAk206NICMq5pzKRgqVzKwxgFKjEXmNXjAuyG:ZBsS

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      b2e8f6340ca878d0c0a82b6ec6a7d88d9e2dfc6cf72f81bda974d888f95f1713.exe

    • Size

      3.1MB

    • MD5

      078bbe7eaeaf7e7cc2ed22c372de38c4

    • SHA1

      d27576bb00da17e68f302f4408a74f32e96fc267

    • SHA256

      b2e8f6340ca878d0c0a82b6ec6a7d88d9e2dfc6cf72f81bda974d888f95f1713

    • SHA512

      2f31282dca1ef9e01c75161f71870871959a3943c0e8b8d73308f237a90875d8ac8583994dc636bb359997c84039805d8d45d44e55635eae9d80dea7729cd0fc

    • SSDEEP

      49152:u8yJAk206NICMq5pzKRgqVzKwxgFKjEXmNXjAuyG:ZBsS

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks