General

  • Target

    3b430a2da7beb1840ba7af7621a2d8a9c5a585aa47cdd0fd836e896c13daf04a

  • Size

    1.4MB

  • Sample

    240916-x4gb1swalj

  • MD5

    37ac065d89791fe2b3d51bbb598e0a56

  • SHA1

    21f568d02460b532a731f710285adc65be65f7c3

  • SHA256

    3b430a2da7beb1840ba7af7621a2d8a9c5a585aa47cdd0fd836e896c13daf04a

  • SHA512

    9b11ca4284d181fb9c33f56e71a20929cb45d871b3c6d1586a2b887bc43e125d03edb0ec92e40826c67b4993fc0e74ed162fda79ad0c155c2ed7718a3796dd0b

  • SSDEEP

    12288:/O/p8ZXD7SThCDaRC6LuZRDDYXyUpFESNPOsZU8ggsS8JT0kWUKS:/OhYqK+CUuzYXJ/kgsNJAkWvS

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7000875199:AAGcJDBHFcfVUBvhBO4xZLw34OXk1NWXSe0/

Targets

    • Target

      Payment Confirmation.exe

    • Size

      810.6MB

    • MD5

      80084f611a6210c1b59f6d7d672bcdde

    • SHA1

      0d1a1a9b27b1ba74e7603c4257eac203c63ea00e

    • SHA256

      c3d48de6a3ba0557c17e337205c597957c26baab2adbb3ae3909e83ef087fe90

    • SHA512

      3d49d606aa1dcc56d3021edf0870d0c39dfa19c658424ada459b58663d82f4decddcea662b6adca8ae67ce3a5282965849b413d64433438374132af05a9bad16

    • SSDEEP

      12288:uXX8vpiZVD7exhoDQRkYLulRnDqXSAzdeatPksfU8gee2GJF0kWN:W8xaGSAkKubqXJrQee9JGkWN

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks