General

  • Target

    Request For Quote document.exe

  • Size

    294KB

  • Sample

    240917-cszzrszfkj

  • MD5

    9fe3c4fe210d4dbcbcd600a0f3bafa8e

  • SHA1

    0abb32cb963fdf10289f5a5c308a1be7eeb6bfcb

  • SHA256

    22d69380285b3ae54c3ab153d36152c70a1d40e5e860ccb962ac564c86a6cdb4

  • SHA512

    26d6b9b7f3dfc3c3d1741748234d1e155a424bd8dbfa6d40c658637c95a8c4646e9002c230f8fe04c26fb19fa3803bd9b00f36a7a1666b8007abe955b496f797

  • SSDEEP

    6144:giISBtWm7kQgIjRs6HcKBlVMrfuQK7Rq9e1+fnIE3mfHbHI5Cj604zhMBr1:gctWm7kQgIjRs6HcKBlarfuQK7Rq9u+m

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Request For Quote document.exe

    • Size

      294KB

    • MD5

      9fe3c4fe210d4dbcbcd600a0f3bafa8e

    • SHA1

      0abb32cb963fdf10289f5a5c308a1be7eeb6bfcb

    • SHA256

      22d69380285b3ae54c3ab153d36152c70a1d40e5e860ccb962ac564c86a6cdb4

    • SHA512

      26d6b9b7f3dfc3c3d1741748234d1e155a424bd8dbfa6d40c658637c95a8c4646e9002c230f8fe04c26fb19fa3803bd9b00f36a7a1666b8007abe955b496f797

    • SSDEEP

      6144:giISBtWm7kQgIjRs6HcKBlVMrfuQK7Rq9e1+fnIE3mfHbHI5Cj604zhMBr1:gctWm7kQgIjRs6HcKBlarfuQK7Rq9u+m

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks