General

  • Target

    c466a6c6e7559241415cc01e8a5bf1caa70995699acbf0f9145099ba58b56cd8

  • Size

    1.0MB

  • Sample

    240408-bg6gqscc33

  • MD5

    84960c5768e2ce8c9f3ce13a17e71f22

  • SHA1

    3d10c931c5437669f4552c14433d87b54a06931e

  • SHA256

    c466a6c6e7559241415cc01e8a5bf1caa70995699acbf0f9145099ba58b56cd8

  • SHA512

    7997f1b4e5741cfc470d6679478ef5afc7d7a51823e3d673f24e079f5720e0507553716a8b63065124fceb1a2a72a65a28255e7cb173db7510db9b8fac25eff2

  • SSDEEP

    24576:T1qSo8qz4b8IjK3kM9c/PVCQMTawdYl/N/ei0v/ynk:wSS4oIe0eK2dS/Nde/r

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.taqwaknitwear.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    PGZ=5p?DmAtX

Targets

    • Target

      c466a6c6e7559241415cc01e8a5bf1caa70995699acbf0f9145099ba58b56cd8

    • Size

      1.0MB

    • MD5

      84960c5768e2ce8c9f3ce13a17e71f22

    • SHA1

      3d10c931c5437669f4552c14433d87b54a06931e

    • SHA256

      c466a6c6e7559241415cc01e8a5bf1caa70995699acbf0f9145099ba58b56cd8

    • SHA512

      7997f1b4e5741cfc470d6679478ef5afc7d7a51823e3d673f24e079f5720e0507553716a8b63065124fceb1a2a72a65a28255e7cb173db7510db9b8fac25eff2

    • SSDEEP

      24576:T1qSo8qz4b8IjK3kM9c/PVCQMTawdYl/N/ei0v/ynk:wSS4oIe0eK2dS/Nde/r

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • UAC bypass

    • Windows security bypass

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks