General

  • Target

    6AE7B9957A07BB74DB7765FD6C639A3C8AA42EC451E80B2D7CAF391F92E24A7F

  • Size

    638KB

  • Sample

    221123-r1r2fsaa55

  • MD5

    1f3b735fee13705c4368288b7ff93ffa

  • SHA1

    e5c36590bb257017323b9aa18632c692595f0c36

  • SHA256

    6ae7b9957a07bb74db7765fd6c639a3c8aa42ec451e80b2d7caf391f92e24a7f

  • SHA512

    b5eb06f7842a7e903ec9a1e822a97691a6b1638bb73aa760ae3180685180f11e39abb086a49de683c19d91c709b2cd137b884c9a05af213a1b68ee36a915ffd5

  • SSDEEP

    12288:2z9jrR/Gz6BYZi4jIU8t4VHWrkOvQYGjGgIa+3FNoBTz:alrPYZsU80m5qjRIa+wTz

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Purchase Orders.exe

    • Size

      835KB

    • MD5

      986d201be0de714e6e89fdb89af8f172

    • SHA1

      95f4ffc07db4709c9d148273320cee228fbf088a

    • SHA256

      968be89e91c52db13b473bf5894e1b11de82551176fff293d752e388f7e83175

    • SHA512

      e6899b74da72a831f6f9a72e3b489f5b121c85590f73d1cc5112d34256161c3be208bc7d68a900e853365561c3bcbdc2d367b1b8231735ef107920701b14a33b

    • SSDEEP

      12288:IWuFITqcSpFKgLIvGTU5YakRORcm4Y2JGAfmjobA2r:MFnc4FtLIKakRDVhug

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks