General

  • Target

    7e12286566f85c9547a2d3508da9c7e5afa298b63a06369f1b12f516c5ace042

  • Size

    1.2MB

  • Sample

    240604-bx6sfahd33

  • MD5

    32770720e55a73dbb1b6f85972bb8b00

  • SHA1

    de1246e1f5d3e8e762bf041a53bb5b73d4a9dde8

  • SHA256

    7e12286566f85c9547a2d3508da9c7e5afa298b63a06369f1b12f516c5ace042

  • SHA512

    91a17cfec87a6a45b1ec3cac5bf619e735d69f98d0f0db4586c96adaf235746811796cbcebf0fd52a73de43e9e33b7afbaf07fa554346e793bef97f36d5a91c5

  • SSDEEP

    24576:3/TZBT2H+Y8TPiIBH6Y9MSIXB0F8Hb+mcWQADBj00:3FkeY8DiIBZIaXmcVAdj00

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      7e12286566f85c9547a2d3508da9c7e5afa298b63a06369f1b12f516c5ace042

    • Size

      1.2MB

    • MD5

      32770720e55a73dbb1b6f85972bb8b00

    • SHA1

      de1246e1f5d3e8e762bf041a53bb5b73d4a9dde8

    • SHA256

      7e12286566f85c9547a2d3508da9c7e5afa298b63a06369f1b12f516c5ace042

    • SHA512

      91a17cfec87a6a45b1ec3cac5bf619e735d69f98d0f0db4586c96adaf235746811796cbcebf0fd52a73de43e9e33b7afbaf07fa554346e793bef97f36d5a91c5

    • SSDEEP

      24576:3/TZBT2H+Y8TPiIBH6Y9MSIXB0F8Hb+mcWQADBj00:3FkeY8DiIBZIaXmcVAdj00

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks