General
-
Target
Alternate.exe
-
Size
2.1MB
-
Sample
240629-s9an7szhph
-
MD5
ec80f135f9ed2d572920bb11e03302ed
-
SHA1
0441da2b1c4a843d8948a7954c28acdd3985d48c
-
SHA256
5a03ae732691c3356330a366f05d915913071c0c7e7b3eab9f6c3583a2e292be
-
SHA512
dae64918dc18752689d3eb82fd35d367203259968753d115ce3cdc02f2524e8ab5ed21535cc40e331e742c7f0093e4c8c4801e3226dfda601f04db3e2861f5c2
-
SSDEEP
49152:TEpH5c5KZYlYXnqfzQnSDZdjEV7v0oGNf2XXQd+NP2a:E2FY3SmSNNEVwHNuXM+NP2
Static task
static1
Behavioral task
behavioral1
Sample
Alternate.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
stealerium
https://discord.com/api/webhooks/1256630214449172480/KPSOBnkaIxsSCBfUjQjFjqFs81SqowDleEn5uuMYiQyvvhycJrsUT_kLVBqKjx_ijiXR
Targets
-
-
Target
Alternate.exe
-
Size
2.1MB
-
MD5
ec80f135f9ed2d572920bb11e03302ed
-
SHA1
0441da2b1c4a843d8948a7954c28acdd3985d48c
-
SHA256
5a03ae732691c3356330a366f05d915913071c0c7e7b3eab9f6c3583a2e292be
-
SHA512
dae64918dc18752689d3eb82fd35d367203259968753d115ce3cdc02f2524e8ab5ed21535cc40e331e742c7f0093e4c8c4801e3226dfda601f04db3e2861f5c2
-
SSDEEP
49152:TEpH5c5KZYlYXnqfzQnSDZdjEV7v0oGNf2XXQd+NP2a:E2FY3SmSNNEVwHNuXM+NP2
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1