General
-
Target
776a487683442337ca3f093bcdf8caf6659615f8901a38c9318acb9e98560c21
-
Size
856KB
-
Sample
240408-bk822acd36
-
MD5
a69d287b0e4dbb051cb06c128f3d4d4c
-
SHA1
e0cd77daca49bb14719a433964f2a949279d3657
-
SHA256
776a487683442337ca3f093bcdf8caf6659615f8901a38c9318acb9e98560c21
-
SHA512
1c639114cbc5665096939b8bd85be336afb4d5035f607cddbe12c7bdb69fc56f94caa78bc76547b41f410716c655cba67948ece2d0aa8a1f4d44f52349b6b0ea
-
SSDEEP
24576:2dEQwNfgbKo6wDKpnMNEi/UqSTqdMRgMj0QqZ0b/:2qQ4Ibr6wMysqp+RT0xZ0b/
Static task
static1
Behavioral task
behavioral1
Sample
Swatches FOR OUTERWEAR - xlsx.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Swatches FOR OUTERWEAR - xlsx.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.taqwaknitwear.com - Port:
587 - Username:
[email protected] - Password:
PGZ=5p?DmAtX - Email To:
[email protected]
Targets
-
-
Target
Swatches FOR OUTERWEAR - xlsx.exe
-
Size
1.0MB
-
MD5
296dd3a2058c5964e6a9dadae816de65
-
SHA1
6fc0507f2cdba4b05d244ea5d555740520cf6ab5
-
SHA256
3a30bc22a3e877de91fd847ed7b101926a1cb5c2161772cb1ae34df84572f3d0
-
SHA512
9cc437b66998d2362e5833b50dd2411ad4e1f746dae04a2697c73265e05852ca328fe8446f5ebf2f9e8710481edbaa5284dddf0939758750f767107cbbb1a0a6
-
SSDEEP
24576:S61qnMPbEo6ijK5nMNgi3MqETqdMRqMjw2qvw4z:04bB6i2kcqdCRFwXvw4z
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Virtualization/Sandbox Evasion
2