General

  • Target

    azeaze.eml

  • Size

    823KB

  • Sample

    240619-hxmswszhkq

  • MD5

    f8364468922666512f3ad044fcef09a7

  • SHA1

    c4da25fc34ae960fc1eee9e382f9c15acd3b27ee

  • SHA256

    20bcf4f26ec45e28805c868153587c7fe69d680b1fe3ed417961aff0f4f91feb

  • SHA512

    9fd58b1044f3773f7f13f1e9cadd94c011d091a1d5ea39ccdf0c94ad49fb96986c36ac082a8f2eb7d906b5119a05b752fb5f01ceef03d3c44b37333780f7ff98

  • SSDEEP

    12288:lQ46OAf42fwbQdSmoeJJnfm/4kKI5CB4880UXjuz9r5WNwznIJBEk1HaGK2m8:m4jCfwPS9m/vPCLgjuzDWGIJ1HAZ8

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      whitegick.exe

    • Size

      1.1MB

    • MD5

      dc4259b113353acfe97ed36b01b1e8b1

    • SHA1

      83882dc9fc7b2151f3f11dc76a09dd07f861792b

    • SHA256

      8baa0339be00a7457f550ab4e5bfb5c35a7c62982fcf3b0b5669fa9f75024266

    • SHA512

      eb035c6b8f8697c35eb1b7c27077c091c099831fc14b7c1f27d0feb500949c3526bcabd84d425de21f8595160abeaa9c7d14bad3da13585024ec19d9e53bd6f3

    • SSDEEP

      24576:zqDEvCTbMWu7rQYlBQcBiT6rprG8aL3KnjFKFNUz:zTvC/MTQYxsWR7aLwIc

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks