General

  • Target

    f71ff7b82c98cd9926bb3830daa1282fb90271fd0c22bbf8a740af253cda234f.exe

  • Size

    1.0MB

  • Sample

    240612-c195psygqh

  • MD5

    5ea6e6c3ffcbbb3ee9c6698a3e58e8ad

  • SHA1

    15fe1aebea3766f0181cff952c6e8e27feaa02a9

  • SHA256

    f71ff7b82c98cd9926bb3830daa1282fb90271fd0c22bbf8a740af253cda234f

  • SHA512

    fb9572e479c3477684f40de8ed1f48de789e66f1702e1e15b45dd351e63af4c5f9ca720681a8f28de9cf224a5094c027726d74c9b47872ed791f45768c4a47f0

  • SSDEEP

    24576:EAHnh+eWsN3skA4RV1Hom2KXMmHavULgVR4I9SCeW5:Th+ZkldoPK8YavdEOb

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      f71ff7b82c98cd9926bb3830daa1282fb90271fd0c22bbf8a740af253cda234f.exe

    • Size

      1.0MB

    • MD5

      5ea6e6c3ffcbbb3ee9c6698a3e58e8ad

    • SHA1

      15fe1aebea3766f0181cff952c6e8e27feaa02a9

    • SHA256

      f71ff7b82c98cd9926bb3830daa1282fb90271fd0c22bbf8a740af253cda234f

    • SHA512

      fb9572e479c3477684f40de8ed1f48de789e66f1702e1e15b45dd351e63af4c5f9ca720681a8f28de9cf224a5094c027726d74c9b47872ed791f45768c4a47f0

    • SSDEEP

      24576:EAHnh+eWsN3skA4RV1Hom2KXMmHavULgVR4I9SCeW5:Th+ZkldoPK8YavdEOb

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks