General

  • Target

    7331f4d321910efc1e8a2e8b3a693f1295c1236a432531e9b694bdcb94b5edb8.exe

  • Size

    332KB

  • Sample

    240604-bwgf6age4x

  • MD5

    6b155d592b862b2f50992026536a8944

  • SHA1

    b6ef934df80b9028194ab889f831bbd1d63d44b8

  • SHA256

    7331f4d321910efc1e8a2e8b3a693f1295c1236a432531e9b694bdcb94b5edb8

  • SHA512

    8c867d94d3c25da0eb39fced8e4d0deeeb1ceeae787734a6e191f57768cd311ec7d1f0a98d98c2e778f2de458d38218d501142f8e48daf8852d5ef67be81535c

  • SSDEEP

    768:BcKODQe2VzEjss2yXg1ILcn0sspAgpq80Lyg1uMN0+dzsRU+eEw:DSQ7E/pqrLy0uyz+fw

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      7331f4d321910efc1e8a2e8b3a693f1295c1236a432531e9b694bdcb94b5edb8.exe

    • Size

      332KB

    • MD5

      6b155d592b862b2f50992026536a8944

    • SHA1

      b6ef934df80b9028194ab889f831bbd1d63d44b8

    • SHA256

      7331f4d321910efc1e8a2e8b3a693f1295c1236a432531e9b694bdcb94b5edb8

    • SHA512

      8c867d94d3c25da0eb39fced8e4d0deeeb1ceeae787734a6e191f57768cd311ec7d1f0a98d98c2e778f2de458d38218d501142f8e48daf8852d5ef67be81535c

    • SSDEEP

      768:BcKODQe2VzEjss2yXg1ILcn0sspAgpq80Lyg1uMN0+dzsRU+eEw:DSQ7E/pqrLy0uyz+fw

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables packed with SmartAssembly

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks