General

  • Target

    rSOAMAR-APR2024-7917089.exe

  • Size

    743KB

  • Sample

    240515-nd9ffafa23

  • MD5

    7154bd52b1f1bca227835b96b42b0d73

  • SHA1

    16b38b1ec14205708343659050bf225e76e0f7ae

  • SHA256

    1eedf5f70bcf194dfc8c5ae6caf0d272aa678d6631126f2e7d3f0681ada9efd9

  • SHA512

    e0e82265a4cc126d71725c9f436f0632b18b056f659172f8940ab6354e4c329c2857508df773d8a2039257de0caa8ca25d36de638de895697844c9c3c99de1a4

  • SSDEEP

    12288:bC21680skSKSIwX32SeLB+E4fcUhbxQEWqF9XjVI5KViVfiVOJKHLEAmDokR:bN1680JSNI/S0+r0UUJqF9QK4VqVJra

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      rSOAMAR-APR2024-7917089.exe

    • Size

      743KB

    • MD5

      7154bd52b1f1bca227835b96b42b0d73

    • SHA1

      16b38b1ec14205708343659050bf225e76e0f7ae

    • SHA256

      1eedf5f70bcf194dfc8c5ae6caf0d272aa678d6631126f2e7d3f0681ada9efd9

    • SHA512

      e0e82265a4cc126d71725c9f436f0632b18b056f659172f8940ab6354e4c329c2857508df773d8a2039257de0caa8ca25d36de638de895697844c9c3c99de1a4

    • SSDEEP

      12288:bC21680skSKSIwX32SeLB+E4fcUhbxQEWqF9XjVI5KViVfiVOJKHLEAmDokR:bN1680JSNI/S0+r0UUJqF9QK4VqVJra

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks