General

  • Target

    09e4f38027139dc19a02d92dbd3b79428cf2e93bbf49d07864ff48e43f268a19.vbs

  • Size

    91KB

  • Sample

    240619-bes4ma1alf

  • MD5

    44d9ad2f0db6d4cb899d6657974c817b

  • SHA1

    1a76e0f99bffc9a92c8578f87538f2efb2b94ec9

  • SHA256

    09e4f38027139dc19a02d92dbd3b79428cf2e93bbf49d07864ff48e43f268a19

  • SHA512

    09b6a077beed527f4756d9d20f696a66976537e1fcef947fa29ac8e8f9c761be83297a07920e050f4df1ca16d41b11b51298d9d72f45ad352e5166fd95a68c8b

  • SSDEEP

    1536:w01/LsA0DnkdzhX7RXaSMmr2rFHxsASgxWxCwhrdM5XRyz29KWFj:w09LB0DnWzhX7RXaSMxhxsAhWEwhrdMZ

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      09e4f38027139dc19a02d92dbd3b79428cf2e93bbf49d07864ff48e43f268a19.vbs

    • Size

      91KB

    • MD5

      44d9ad2f0db6d4cb899d6657974c817b

    • SHA1

      1a76e0f99bffc9a92c8578f87538f2efb2b94ec9

    • SHA256

      09e4f38027139dc19a02d92dbd3b79428cf2e93bbf49d07864ff48e43f268a19

    • SHA512

      09b6a077beed527f4756d9d20f696a66976537e1fcef947fa29ac8e8f9c761be83297a07920e050f4df1ca16d41b11b51298d9d72f45ad352e5166fd95a68c8b

    • SSDEEP

      1536:w01/LsA0DnkdzhX7RXaSMmr2rFHxsASgxWxCwhrdM5XRyz29KWFj:w09LB0DnWzhX7RXaSMxhxsAhWEwhrdMZ

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Blocklisted process makes network request

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks