General

  • Target

    cj.zip

  • Size

    1.4MB

  • Sample

    240921-3w583a1elf

  • MD5

    32903f4f041d88950ba1768670b260fa

  • SHA1

    da60e525522f5edff0bcfc214ec3499f0ca344f6

  • SHA256

    403c6b151976080257ee2ba66535a58f1a9b824ec6ac90e24159910b61b20c13

  • SHA512

    514b1bf7fcd887b3952e7efef20af525773e103b8f967d3a07ecb59a8c0be4d67f92666b1cda5fac6b9c076fcf6f8b8f5e72d57f055e999cf0d84fb5789ec840

  • SSDEEP

    24576:tS17JAsQBpTxtJXnXlk/9jWSc+N61f0C63:tSSBDtJXXlpS9N618C63

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7000875199:AAGcJDBHFcfVUBvhBO4xZLw34OXk1NWXSe0/

Targets

    • Target

      cj.exe

    • Size

      810.6MB

    • MD5

      4577904002f77c1cc861041f379d0fae

    • SHA1

      9ad75bebaaae5a2c63600e4e3fa39de3751fd0cb

    • SHA256

      e138199d0ad358bec8b6dfd708afe4e2f071686116d04eb797d542788346e6e3

    • SHA512

      38117f967643c05dbc31f1a3a165baf7f2b69cdb284b583e2f2408ca7e59e6f540864c579a8e794999d792cb761b2f2417234936b9016ec29a5ec6bf0ea98e91

    • SSDEEP

      12288:4Pn0mNOJgrxmdQqe19Z/PamxTu3VWRe2OjNk7d7q88u3UQ/370Vr:45OJAkQBt/PLxaMyOdu8jkQ/er

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks