General

  • Target

    grace.exe

  • Size

    699KB

  • Sample

    240515-l43pgacd3s

  • MD5

    6cb57b7bbac238426bb2f888fbfc3ed7

  • SHA1

    f1440efc5419037d9d353cd39af3fefa736fb541

  • SHA256

    6ab2de6935249b3eda017e140655d900bd3e8eed7a96a2bbf09707a6c4e8787a

  • SHA512

    b03ac8f6b54bcd24bccc53d111a6ee9e56b0eea0845bfc8304430b510b2e980fc25baf2b39d65ca6c35058ea06b197dd8f9b01beafe6b21d41e354e0ca5b14ae

  • SSDEEP

    12288:ZKECAXYMjhvPie/rByY7777777777777rZkG5dFTh0e6huoo9rKNJrh5dBmmf6gs:ZtCAXYMFniyymkadFTh5quoo9rKThhdN

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      grace.exe

    • Size

      699KB

    • MD5

      6cb57b7bbac238426bb2f888fbfc3ed7

    • SHA1

      f1440efc5419037d9d353cd39af3fefa736fb541

    • SHA256

      6ab2de6935249b3eda017e140655d900bd3e8eed7a96a2bbf09707a6c4e8787a

    • SHA512

      b03ac8f6b54bcd24bccc53d111a6ee9e56b0eea0845bfc8304430b510b2e980fc25baf2b39d65ca6c35058ea06b197dd8f9b01beafe6b21d41e354e0ca5b14ae

    • SSDEEP

      12288:ZKECAXYMjhvPie/rByY7777777777777rZkG5dFTh0e6huoo9rKNJrh5dBmmf6gs:ZtCAXYMFniyymkadFTh5quoo9rKThhdN

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks