General

  • Target

    7a39624c0e6904b5b710ac5a8d76ba26d91d3603607bef80c62b28a4d693cf1f.bat

  • Size

    2.5MB

  • Sample

    240618-vzm8naxcll

  • MD5

    0f66c9fac192e23ed8b27756a13c9a51

  • SHA1

    20ddad40148adbdd5d784b124acc33cdde097132

  • SHA256

    7a39624c0e6904b5b710ac5a8d76ba26d91d3603607bef80c62b28a4d693cf1f

  • SHA512

    a5a14d3cb211d82d88fe6a9e20d9e31d904f469d53397c08d0ad5d0e33092309befd7b758823712412f0934212af69211fcd6f2e7f21fec9eb74e2949bc45335

  • SSDEEP

    49152:5an+rZc4d12wBdAyoxrHDJn514sMoV5HOIbTbfS:P

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      7a39624c0e6904b5b710ac5a8d76ba26d91d3603607bef80c62b28a4d693cf1f.bat

    • Size

      2.5MB

    • MD5

      0f66c9fac192e23ed8b27756a13c9a51

    • SHA1

      20ddad40148adbdd5d784b124acc33cdde097132

    • SHA256

      7a39624c0e6904b5b710ac5a8d76ba26d91d3603607bef80c62b28a4d693cf1f

    • SHA512

      a5a14d3cb211d82d88fe6a9e20d9e31d904f469d53397c08d0ad5d0e33092309befd7b758823712412f0934212af69211fcd6f2e7f21fec9eb74e2949bc45335

    • SSDEEP

      49152:5an+rZc4d12wBdAyoxrHDJn514sMoV5HOIbTbfS:P

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks