General

  • Target

    a3d0339ed9baefeedb6cb984e3e6fcafeb59dab6484c0b75e44a6c24b1cd31f6.exe

  • Size

    933KB

  • Sample

    240612-ccw8yaycll

  • MD5

    15d4b3a4b2907c2602eb46b084afe911

  • SHA1

    90a8ae980f1dd539e8716e7b5c26e7f229620a3b

  • SHA256

    a3d0339ed9baefeedb6cb984e3e6fcafeb59dab6484c0b75e44a6c24b1cd31f6

  • SHA512

    4df17340873fd0bf929cbb79b3d7db2e85fb02c211b10866b69b2be51bfce1576c2eaef2b4321fad89274e1208d0dcad70c132e5c12493bf1d58b603c8ddab59

  • SSDEEP

    12288:P9S0DlaggXSvN7EM8N+CzaXuGTNVSG6SRiI2qecz+ELeK67nIPZqwLf6d1:1SRDWN7EMLkWNVSG0LwPtsIxqwrM1

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      a3d0339ed9baefeedb6cb984e3e6fcafeb59dab6484c0b75e44a6c24b1cd31f6.exe

    • Size

      933KB

    • MD5

      15d4b3a4b2907c2602eb46b084afe911

    • SHA1

      90a8ae980f1dd539e8716e7b5c26e7f229620a3b

    • SHA256

      a3d0339ed9baefeedb6cb984e3e6fcafeb59dab6484c0b75e44a6c24b1cd31f6

    • SHA512

      4df17340873fd0bf929cbb79b3d7db2e85fb02c211b10866b69b2be51bfce1576c2eaef2b4321fad89274e1208d0dcad70c132e5c12493bf1d58b603c8ddab59

    • SSDEEP

      12288:P9S0DlaggXSvN7EM8N+CzaXuGTNVSG6SRiI2qecz+ELeK67nIPZqwLf6d1:1SRDWN7EMLkWNVSG0LwPtsIxqwrM1

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables packed with or use KoiVM

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks