General
-
Target
f9683997b1733f292b8b22f8a94a315d_JaffaCakes118
-
Size
878KB
-
Sample
240419-d3547sge5w
-
MD5
f9683997b1733f292b8b22f8a94a315d
-
SHA1
349b1fed7a0cee9f93119fe3f30a73b18589c163
-
SHA256
df88cb3a8f518f0589f2cd9cc1ed652cad16156932d08bf18a226177654e3cda
-
SHA512
6b75f125065772ed2867181a60c05d0b1e3ef5eaed9f7f86f42d995f8c35d66b1ebcacf1939d14c3566630741d3db64a7767ab0db31e6b42e51ed2760d6d5aaf
-
SSDEEP
24576:yNT+SqPYaAb7Gub1+xB/f79wVpoF7O3GGexKP:C6nMZb1+/iVUo
Static task
static1
Behavioral task
behavioral1
Sample
Request_for_quotation_8378473847843.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Request_for_quotation_8378473847843.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.mmdqatar.com/ - Port:
21 - Username:
[email protected] - Password:
Internet@123
Targets
-
-
Target
Request_for_quotation_8378473847843.exe
-
Size
1.2MB
-
MD5
5a396ea7fb5013dea9e992a610a84e4a
-
SHA1
533d2d0be556ea0cc3b0cb407cd4f4675c8b2f8c
-
SHA256
69a494bfd4d95a7dfb43a121db499277a26d9c2c4c4aa3289cda63f88cb51b5e
-
SHA512
0fa9f43b19cd10d9f921bd5254c5a9aed79a6e8bad419232639459b28e89476ad9a7a234001c4ee7706ea78afeabbb2a6c877cb5ae4ec15fee4bf64e806b41e2
-
SSDEEP
24576:UJKklIgMsh4C2s0I3OgbilcN3yd2OluON4fA9uC:UBlIgMk4C2EDT3yd2OluON4fA9u
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1