General

  • Target

    d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18.exe

  • Size

    928KB

  • Sample

    240612-cracqayepa

  • MD5

    4266d91c8633602759414cebaeec2ae2

  • SHA1

    ba1dbcfb42cc7073e6fc8c2f75309bbea4dff3b6

  • SHA256

    d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18

  • SHA512

    fa083f2cc0da566a24b7bd259a680b94d03478b1988df230e990a364859b9b42ea7b6b4cb203efd321c870a8199b24e35f7f8632b83da7429cfec2f90ddf6314

  • SSDEEP

    24576:oT5+tqOmwmFwIwoGxEt0h1XummOxYD/I1adA:mEtBL+wRom3nnuckA

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18.exe

    • Size

      928KB

    • MD5

      4266d91c8633602759414cebaeec2ae2

    • SHA1

      ba1dbcfb42cc7073e6fc8c2f75309bbea4dff3b6

    • SHA256

      d05edc28492654541d48114072bc92e0be9431af44706af063bb919daf93af18

    • SHA512

      fa083f2cc0da566a24b7bd259a680b94d03478b1988df230e990a364859b9b42ea7b6b4cb203efd321c870a8199b24e35f7f8632b83da7429cfec2f90ddf6314

    • SSDEEP

      24576:oT5+tqOmwmFwIwoGxEt0h1XummOxYD/I1adA:mEtBL+wRom3nnuckA

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      d968cb2b98b83c03a9f02dd9b8df97dc

    • SHA1

      d784c9b7a92dce58a5038beb62a48ff509e166a0

    • SHA256

      a4ec98011ef99e595912718c1a1bf1aa67bfc2192575729d42f559d01f67b95c

    • SHA512

      2ee41dc68f329a1519a8073ece7d746c9f3bf45d8ef3b915deb376af37e26074134af5f83c8af0fe0ab227f0d1acca9f37e5ca7ae37c46c3bcc0331fe5e2b97e

    • SSDEEP

      192:CVA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:CrR7SrtTv53tdtTgwF4SQbGPX36wJMw

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks