General

  • Target

    BANK SWIFT.pdf_________________________________________________________________________.exe

  • Size

    719KB

  • Sample

    240515-nd9ffaeg6w

  • MD5

    2e8778e7de604e1c3076a0b7f3dbf472

  • SHA1

    0520202c3eee3ea89bb2809bc56ca8bd2ef1479f

  • SHA256

    fac5820afb79ef32f8b147ade861758c0c721f412341944766870d0418c8116e

  • SHA512

    353a1cac0f3424f9d7f5de53c4915d138f698405d0bf8b5486baaff4f0e0e1ec86b18e000f22dde65e9a40ac77e95ebd5f6a5544a96b15df665156d55f3c39c7

  • SSDEEP

    12288:GIlXAhYMjhvPie/rByY7777777777777zqoUCfsfQfJ7UF+bDc5T0yiKXu58gdYy:GmXAhYMFniyyHoN0fQjsZL+R

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      BANK SWIFT.pdf_________________________________________________________________________.exe

    • Size

      719KB

    • MD5

      2e8778e7de604e1c3076a0b7f3dbf472

    • SHA1

      0520202c3eee3ea89bb2809bc56ca8bd2ef1479f

    • SHA256

      fac5820afb79ef32f8b147ade861758c0c721f412341944766870d0418c8116e

    • SHA512

      353a1cac0f3424f9d7f5de53c4915d138f698405d0bf8b5486baaff4f0e0e1ec86b18e000f22dde65e9a40ac77e95ebd5f6a5544a96b15df665156d55f3c39c7

    • SSDEEP

      12288:GIlXAhYMjhvPie/rByY7777777777777zqoUCfsfQfJ7UF+bDc5T0yiKXu58gdYy:GmXAhYMFniyyHoN0fQjsZL+R

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks