General

  • Target

    Booking-103.rar

  • Size

    1.0MB

  • Sample

    240923-hqxphsyell

  • MD5

    d4227c5e64fe6fdf86d0e61052ac8242

  • SHA1

    dfccfbb5680d8c855a54528cec8ee545d9b317d7

  • SHA256

    442c980afd52f6d5743d56e9092648169860391e770751eed65a6db619dd2298

  • SHA512

    f5bc87a7b68c476ce0f27a2fd1e386a7b533bdb85144c1a97f6bce89dfbaaa444d26f80ddf5ca91b501af89c664632686b318560b7873881e246eeaf1c860349

  • SSDEEP

    24576:jD9CGzAuS9OLP/rnHR2CFJmSkLG3EBboJ1XnBRiXi:jDUUAL9wd/xk9bsrr

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Booking-103.exe

    • Size

      1.2MB

    • MD5

      719c383a8fada83f805b51239a2aa783

    • SHA1

      0893fcf8a3a27f38b416b0c56ac88f96556262f5

    • SHA256

      1f2c15231eafbca1fb5a99d5abb83254ac352a60aee2ad1b0c9b5a3ec79c5a39

    • SHA512

      90771d390455cfd394ff93bdad99515ac400ef918fcd3215ea19f5d06b79927117d87d34f7845d1f937fd71246441c1b43f4b056131bf13764dfe38479cd6133

    • SSDEEP

      24576:VDenzYxgITPxj/Xtk1YGm56Td53/Pdbgn06bbC9:9ezsPj/XomI5vPdbAbm

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks