General

  • Target

    15f0ddc88c6582b454002e768cc8c8a9b59995276b86aa7d75ef6a17af2fda8ccab.cab

  • Size

    608KB

  • Sample

    231207-yglhwsfb29

  • MD5

    ebcf12f80da30c7a077d1740dfdd5bd0

  • SHA1

    79ce29609ca633f7ab3fd9cecf147a8ba58ba6a8

  • SHA256

    15f0ddc88c6582b454002e768cc8c8a9b59995276b86aa7d75ef6a17af2fda8c

  • SHA512

    5b4f111f9e2d241b9460269662b41130305ac597af2863127de4fe5c05533e4c34155f089a60013efced6be492bf23067f1d5f37043926cb4b3f7cdf9b7a252a

  • SSDEEP

    12288:c6s8jX2yBOpMwZt+Oik9nwhBEm4pZ5fzJfO4mtRk3gFSAA:pLrgy8XtwhBH8Z5924mtRk3gIT

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.dcc-asia.com
  • Port:
    587
  • Username:
    g@dcc-asia.com
  • Password:
    soso@#1235
  • Email To:
    g@dcc-asia.com

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.dcc-asia.com
  • Port:
    587
  • Username:
    g@dcc-asia.com
  • Password:
    soso@#1235

Targets

    • Target

      INVOICE & AWB #5291760_pdf.exe

    • Size

      639KB

    • MD5

      c60068fde058f588a2b7fe236cfbc0e9

    • SHA1

      d5b3d029b3645a1f2cbf14ec1d134276e47d60e2

    • SHA256

      a75840200db6ba9313053ab15551f6c758d78ac9ffbe75ede0f36e744eaed24b

    • SHA512

      146f766575aa3f81a4d90247871e17cd99bb572720f1a5b72a0ace9140476556d321e82526176bc831eefd029253c5fa627eb7ba78bbd73e2c080447fa2249c0

    • SSDEEP

      12288:CE5QaueH5qjR82KUIdsNQ3GZDlOPk9JiPB7a4pZ5fBJfOUmtakjg7s:CE3qjWsI6wKo44PBu8Z5L2Umtaks

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks