General

  • Target

    becauseofflowerwecantgivesuchamemorybecauseflowersareveryimporatntinffrontofloverwholikeyousheismygirl____ireallyloverhertruly.doc

  • Size

    65KB

  • Sample

    240515-l3x3lacc6x

  • MD5

    e050b72bd8f7f3c5a79af85cb1a1bd73

  • SHA1

    4a43ef0eebc753a7bff961543cbcf441c9f1b4bd

  • SHA256

    72dde2686b758581f880758d957458eb735cac9d0fcde2c5a50af2124d1ffc98

  • SHA512

    e149d46f6ba561672e97dff8b681e807dafcc505b064144e73389d96835bcd110b13b651a9adcef1b7b59d290565d3cacfe29eb2d1d000b6589c763d74044208

  • SSDEEP

    1536:Au/ZLIVlnZBLRzykHlA+lu4VKhk5v0jLJGWu+rtzy:TZ2nZFg4VKhbjLMB+rtW

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      becauseofflowerwecantgivesuchamemorybecauseflowersareveryimporatntinffrontofloverwholikeyousheismygirl____ireallyloverhertruly.doc

    • Size

      65KB

    • MD5

      e050b72bd8f7f3c5a79af85cb1a1bd73

    • SHA1

      4a43ef0eebc753a7bff961543cbcf441c9f1b4bd

    • SHA256

      72dde2686b758581f880758d957458eb735cac9d0fcde2c5a50af2124d1ffc98

    • SHA512

      e149d46f6ba561672e97dff8b681e807dafcc505b064144e73389d96835bcd110b13b651a9adcef1b7b59d290565d3cacfe29eb2d1d000b6589c763d74044208

    • SSDEEP

      1536:Au/ZLIVlnZBLRzykHlA+lu4VKhk5v0jLJGWu+rtzy:TZ2nZFg4VKhbjLMB+rtW

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks