General

  • Target

    DHL-INVOICE-00660840.bat

  • Size

    2.9MB

  • Sample

    240625-kr7bfszcqh

  • MD5

    9298a0798f02a770a07f48b0832f6b90

  • SHA1

    7534c18ea1f2df754b88f1d648b6f9ac8c0d2bd9

  • SHA256

    9c21ee0f98ba8ff396a2c3058b20209fc1e71f79b2614dc073c6ebe310a47181

  • SHA512

    029cb130e8ba7499e5949d23ec3ff51626a8a5308eb03febe174e5418ce19e5210be99f782b5bea230683f3c771c5a86bffdb4b93d8a355256d8cd9e268dd4e7

  • SSDEEP

    49152:DxmazrQynYIB6FiDvDl57InBK2zX1CVWRxK4cr/oD:6

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      DHL-INVOICE-00660840.bat

    • Size

      2.9MB

    • MD5

      9298a0798f02a770a07f48b0832f6b90

    • SHA1

      7534c18ea1f2df754b88f1d648b6f9ac8c0d2bd9

    • SHA256

      9c21ee0f98ba8ff396a2c3058b20209fc1e71f79b2614dc073c6ebe310a47181

    • SHA512

      029cb130e8ba7499e5949d23ec3ff51626a8a5308eb03febe174e5418ce19e5210be99f782b5bea230683f3c771c5a86bffdb4b93d8a355256d8cd9e268dd4e7

    • SSDEEP

      49152:DxmazrQynYIB6FiDvDl57InBK2zX1CVWRxK4cr/oD:6

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks