General

  • Target

    7e00aeec4c4b394654b93c80d66b0e6d78e63cbc97f1668b4d7b0db833b4db1a

  • Size

    679KB

  • Sample

    240518-j83txsbe23

  • MD5

    9b4af560c789e4a0e8fcb4b9fd41a682

  • SHA1

    5025073eeba5460861fe9c4cdec9345d62d56358

  • SHA256

    7e00aeec4c4b394654b93c80d66b0e6d78e63cbc97f1668b4d7b0db833b4db1a

  • SHA512

    afa300adb7b4f6a16160b21d568779c08f1bfd0fccf01411f13b4923056586554ce4e804bf4b57fea4140d09eb0f64739e959718bc5c5e6a318d006fc58dfe2a

  • SSDEEP

    12288:ik/r5d67irL179NW6Ge+De4u/Yh8lUul1xOjGtsYt8Sds0uvS0iC:iktdekZ7PGeIu/IaEGtQSy0kf

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ddisibjmyxncuflp

Targets

    • Target

      2940a8fe07543e73573471f46229165e5aa84bf7b42ac60004ab22c916aaff8f.exe

    • Size

      722KB

    • MD5

      eec92f9eaf00561a5b910272f3d9e1d2

    • SHA1

      dd7d1313abef47b1a03204ed117788c24541b911

    • SHA256

      2940a8fe07543e73573471f46229165e5aa84bf7b42ac60004ab22c916aaff8f

    • SHA512

      0a17e4ed10b7ea9ed073d5fdc3e9790057567e2c120d58b612b3f0d0dc17cf93181bca71fd7bba2254f92650f30e40c9030ec46aceb36fcf1403ad73178f1973

    • SSDEEP

      12288:jV0pei36ROF/ht9gSRJXnbclb7tQrNTq5w0ftSgrwlL/2:japp36m39rzclQpbgrwl7

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks