General

  • Target

    593cc6c6fee6b9fb6ae1e0594fbb64f76b8e18b532a25df6284300061cda47c7.vbs

  • Size

    23KB

  • Sample

    240612-bv8t1sxfpf

  • MD5

    07797f5857c697c8a1a12489e8bf76ea

  • SHA1

    9603afb90564671147e80dee0dbca0969f047dae

  • SHA256

    593cc6c6fee6b9fb6ae1e0594fbb64f76b8e18b532a25df6284300061cda47c7

  • SHA512

    6452353c9cd104e8ca728764b9a6b1079c65fcd5a7df7b2aeebd2731f173201028b18e4b3f30bf9842d733be62ae91c94d50cdb2bdaf07c9ba525694f47350f3

  • SSDEEP

    384:HkcoLqaePo/os7uoLUv5jvF8rOe/eqogMQ2JwD4odFWgVsHTqnRd0vOBc:HkcoLmPyuEUBtTd5wnWgyH2IJ

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      593cc6c6fee6b9fb6ae1e0594fbb64f76b8e18b532a25df6284300061cda47c7.vbs

    • Size

      23KB

    • MD5

      07797f5857c697c8a1a12489e8bf76ea

    • SHA1

      9603afb90564671147e80dee0dbca0969f047dae

    • SHA256

      593cc6c6fee6b9fb6ae1e0594fbb64f76b8e18b532a25df6284300061cda47c7

    • SHA512

      6452353c9cd104e8ca728764b9a6b1079c65fcd5a7df7b2aeebd2731f173201028b18e4b3f30bf9842d733be62ae91c94d50cdb2bdaf07c9ba525694f47350f3

    • SSDEEP

      384:HkcoLqaePo/os7uoLUv5jvF8rOe/eqogMQ2JwD4odFWgVsHTqnRd0vOBc:HkcoLmPyuEUBtTd5wnWgyH2IJ

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks