General

  • Target

    86093067d960040ed12acb55c26005fb4c4fe30b5bb0698397d1ea75915433d9.iso

  • Size

    836KB

  • Sample

    240518-k9g5aadc2x

  • MD5

    c7e1d63fa8f9e0dcab79ed3c4415a753

  • SHA1

    eba7c9f65d45ecaaa8254de224035ed58c5febbe

  • SHA256

    86093067d960040ed12acb55c26005fb4c4fe30b5bb0698397d1ea75915433d9

  • SHA512

    4815087435b2cc5c639af605bcf66fcfc9055deaf3f54bdf81a3acf404418a147c87290f0fcc7ee218eb2a76d1fd1feec31e46add9d7d61f67b361537a5df11f

  • SSDEEP

    12288:Gv0pei36RhGUU/ZUpBPpHXiGGAWjzANEPaXnTQAm8HGSuNAWX4x74tuYmburHWp2:Gcpp36+UbZFB28rjTl6NpXg4t1O

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      DHL Delivery Invoice AWB#7490327845.exe

    • Size

      775KB

    • MD5

      12bc629e36e7ceecfdedf345e6087085

    • SHA1

      d5dd6d6ea7ffc4b64199833ae0a4c58ce2dfcf6e

    • SHA256

      3dc418214907aef99792b2b826fec6b837f2b3cd0c5404efb7d5e39b672be7b5

    • SHA512

      5381c26b997e2b5e932dad2aec69e30a643b5cba49c90441c2fb94cb0bd3b8f878fb17626700cde26ab0b7d8cd1b75187f90007edfe6964b78fc0fec424ec629

    • SSDEEP

      12288:+v0pei36RhGUU/ZUpBPpHXiGGAWjzANEPaXnTQAm8HGSuNAWX4x74tuYmburHWp2:+cpp36+UbZFB28rjTl6NpXg4t1O

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks