General

  • Target

    d84d891e29424cf00c407cf5397bf3f40e56b159ac2276b077dfb1bb548cb95b.rar

  • Size

    713KB

  • Sample

    240612-ct188ayfkd

  • MD5

    6dc468c2b516ab2bad95747dcb692b56

  • SHA1

    164c49cd98911c8298a122c39a468eb4b1c3627f

  • SHA256

    d84d891e29424cf00c407cf5397bf3f40e56b159ac2276b077dfb1bb548cb95b

  • SHA512

    348c8691ec4ea752b946952b9cbe9d7e58e6dd5d276dbb2efcf8a2361237c1cd752cc39af9c6a75c6ea759c25e19a5fd2185be6836d94ba8ea77ab16c4c14caa

  • SSDEEP

    12288:/3M1dlD6k/2kYw9qXGHORY65cCPXjwi6LtSKUfRhOjmXzLf/99nU1Z0RLdNJrL00:/crgE2cDHMcssbSKSRhweHjUn0RZNJrT

Malware Config

Targets

    • Target

      Debit Note PDF.exe

    • Size

      1.2MB

    • MD5

      5803a2fc9ec15de6690c023bafe5602f

    • SHA1

      2aa646820ee1bc5beb13e9c96ec1392a9f99f94a

    • SHA256

      1045b847a054314a54af5cf2a115c39cac66c6e6ee37cc5988eb02ef845d9ffa

    • SHA512

      e3bdb085484642162fad43cd6caf414d183898a106060e694ff9285f4e8837db7ae2fb296c04b0dffed17335791306ed1d4e8904ea0909b5ad1b5226ff6c5b50

    • SSDEEP

      24576:/AHnh+eWsN3skA4RV1Hom2KXMmHaLDxW9vqdWHK0Lj8Vl5:ih+ZkldoPK8YaLDAUWq0Lk

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks