General

  • Target

    aa30351848b61883d95a52e505978c07d761d743e172cee3ed96c0ef801ee47e

  • Size

    622KB

  • Sample

    240328-bpt4nsac24

  • MD5

    86eb33340da5adfa46c9ebab4e288f23

  • SHA1

    c8a8b2182f891f12657441c496a607ceaaab04cb

  • SHA256

    aa30351848b61883d95a52e505978c07d761d743e172cee3ed96c0ef801ee47e

  • SHA512

    b4014a13291b73d804662cdfe6256a903a2ea84ab15c69ac1ea6c60b116a8270c6b46608382795b7edfdcd1c97accfe0ba02776651942b46ed5e6779ae978042

  • SSDEEP

    12288:Ga5W3ob2VFy7sPI2jiYhYtq0PQq+ehYumYRcgDJHjP2TeGsKfSqL3Z/wMTe+sU0:C39Fy7sPI2jN4q/JuDRcCpKfXRwseL

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      aa30351848b61883d95a52e505978c07d761d743e172cee3ed96c0ef801ee47e

    • Size

      622KB

    • MD5

      86eb33340da5adfa46c9ebab4e288f23

    • SHA1

      c8a8b2182f891f12657441c496a607ceaaab04cb

    • SHA256

      aa30351848b61883d95a52e505978c07d761d743e172cee3ed96c0ef801ee47e

    • SHA512

      b4014a13291b73d804662cdfe6256a903a2ea84ab15c69ac1ea6c60b116a8270c6b46608382795b7edfdcd1c97accfe0ba02776651942b46ed5e6779ae978042

    • SSDEEP

      12288:Ga5W3ob2VFy7sPI2jiYhYtq0PQq+ehYumYRcgDJHjP2TeGsKfSqL3Z/wMTe+sU0:C39Fy7sPI2jN4q/JuDRcCpKfXRwseL

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks