General

  • Target

    776a487683442337ca3f093bcdf8caf6659615f8901a38c9318acb9e98560c21

  • Size

    856KB

  • Sample

    240408-bk822acd36

  • MD5

    a69d287b0e4dbb051cb06c128f3d4d4c

  • SHA1

    e0cd77daca49bb14719a433964f2a949279d3657

  • SHA256

    776a487683442337ca3f093bcdf8caf6659615f8901a38c9318acb9e98560c21

  • SHA512

    1c639114cbc5665096939b8bd85be336afb4d5035f607cddbe12c7bdb69fc56f94caa78bc76547b41f410716c655cba67948ece2d0aa8a1f4d44f52349b6b0ea

  • SSDEEP

    24576:2dEQwNfgbKo6wDKpnMNEi/UqSTqdMRgMj0QqZ0b/:2qQ4Ibr6wMysqp+RT0xZ0b/

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Swatches FOR OUTERWEAR - xlsx.exe

    • Size

      1.0MB

    • MD5

      296dd3a2058c5964e6a9dadae816de65

    • SHA1

      6fc0507f2cdba4b05d244ea5d555740520cf6ab5

    • SHA256

      3a30bc22a3e877de91fd847ed7b101926a1cb5c2161772cb1ae34df84572f3d0

    • SHA512

      9cc437b66998d2362e5833b50dd2411ad4e1f746dae04a2697c73265e05852ca328fe8446f5ebf2f9e8710481edbaa5284dddf0939758750f767107cbbb1a0a6

    • SSDEEP

      24576:S61qnMPbEo6ijK5nMNgi3MqETqdMRqMjw2qvw4z:04bB6i2kcqdCRFwXvw4z

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • UAC bypass

    • Windows security bypass

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks