General

  • Target

    fc67352539e6d95d44816dbd3affde59553af0dacdae778027c5d2c8a09c50f6.zip

  • Size

    780KB

  • Sample

    240612-c3eftayhke

  • MD5

    ca86e5b9bf52aa46ad253327c2431564

  • SHA1

    0c00a57d292ae308d8e57e2d606471f93c1f5600

  • SHA256

    fc67352539e6d95d44816dbd3affde59553af0dacdae778027c5d2c8a09c50f6

  • SHA512

    5281907a0a8d466c56689ebccea92b18e3eb8b153d47ab472c8e45ae9070015423529d2728b82778721a6bd42f8b6c9639f227cc39ed9de5c6121a7a5d650b86

  • SSDEEP

    24576:6WYJXRWrmh4xkIXbEqGIjoBr7mCzfDi3ys5K91Ju:6WYJXqXYIjoBvmqDYv5aJu

Malware Config

Targets

    • Target

      BL.exe

    • Size

      1.2MB

    • MD5

      a6e9d4fa94edb21aa16b167dfec4f624

    • SHA1

      1b9f0d78dd27baa672c3d904b8bb0e8e9bdf7117

    • SHA256

      f0a931ba453d846bac36ab75d1e79847170cd8f562ccb117e92133434d301abf

    • SHA512

      1f64657ca18349d7977797b47414969494ab914387d1175b1cfeae4cda4f066111059eec2aa66fcf8333398934e764c740ee2d71453ada91fcd71c6a8c66bc64

    • SSDEEP

      24576:/AHnh+eWsN3skA4RV1Hom2KXMmHaWe2HXtKxksRk9bEC5:ih+ZkldoPK8YaWegt+RR8d

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks