General
-
Target
72106fac6f73c73139d35a9c475876aef1444a0366cb9e7c5040e4bdce5bdf7e.zip
-
Size
630KB
-
Sample
241116-kg6l6stamj
-
MD5
83f6f783b21e15a70128f79c7e6ed162
-
SHA1
93c4158f3e8714f5c1d2f45380a8ac7991375cba
-
SHA256
72106fac6f73c73139d35a9c475876aef1444a0366cb9e7c5040e4bdce5bdf7e
-
SHA512
907a7a8c436bbf8af50e1e054456fd5c035a1b9d29a1d9fd290d8d5f8e68a30876490e7cc4513c6d8e2829b7d2522eacf8197d8e000448ef6114adc48a92b8aa
-
SSDEEP
12288:F5N7yhVOviZedZx0ht9geW/ykJZhVrV3TPW9FSVc/gCijDf54wznmq4:BGhU0EAtKe/2rVxDPWGc/7MB4w/4
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
manlikeyou88 - Email To:
[email protected]
Targets
-
-
Target
New Tooling CT240230231CTA240714.exe
-
Size
2.6MB
-
MD5
084dcc77f2015db12169837b93e13430
-
SHA1
3b239c71274c55e342f71ce2c13057c3cdb9ca2d
-
SHA256
db54f10f4f1c3eae171d83065364f5482d76c048daae934da0279506c9169802
-
SHA512
b14e10288c109b3ebf6166fd1974e1d81289925c3bac5f8bf5eda589ef65ffa5ffb16f18a307b1f721091d49c8cc0c03cc2017d0400899f0cedc20326153e57e
-
SSDEEP
12288:KP7r9r/+ppppppppppppppppppppppppppppp0GMVOLiZedZ/0dt9geW/iwJZxVi:K1qMK0EctKeVqfVxtXWmI/7khqw/he
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
UAC bypass
-
Windows security bypass
-
Looks for VirtualBox Guest Additions in registry
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Checks whether UAC is enabled
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1