General

  • Target

    Solicitud de Pedidos.exe

  • Size

    780KB

  • Sample

    240617-qwtttatanc

  • MD5

    0f5ceaedf9a8a0839d149b89cefa9466

  • SHA1

    16e1745eea86b2283d3d52b1bbf42efc0183349e

  • SHA256

    57826299a05b5202efad57e0b8580ffad6d90feace9734a5aceb3a0d945fbeee

  • SHA512

    df0472e1182c9cb01c2cd5d04d08405a1aa286c89ea6e9802996739c0744099192169fa114eeb834ca20ca01dc61725b762137a1a49e0d08989292e138b51a35

  • SSDEEP

    12288:ZwX2iNvFIsPAuqKEuqHO+55T8NXia29G6ec0e6bbvlS+LOjLqzQFnEAmDTkR:01DIKlEu4hv0ia20VectS+LOjLqMpP

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7324912316:AAE9cdHKCIzAvY4FYnIyplYYh0ouA4afT4k/

Targets

    • Target

      Solicitud de Pedidos.exe

    • Size

      780KB

    • MD5

      0f5ceaedf9a8a0839d149b89cefa9466

    • SHA1

      16e1745eea86b2283d3d52b1bbf42efc0183349e

    • SHA256

      57826299a05b5202efad57e0b8580ffad6d90feace9734a5aceb3a0d945fbeee

    • SHA512

      df0472e1182c9cb01c2cd5d04d08405a1aa286c89ea6e9802996739c0744099192169fa114eeb834ca20ca01dc61725b762137a1a49e0d08989292e138b51a35

    • SSDEEP

      12288:ZwX2iNvFIsPAuqKEuqHO+55T8NXia29G6ec0e6bbvlS+LOjLqzQFnEAmDTkR:01DIKlEu4hv0ia20VectS+LOjLqMpP

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks