General

  • Target

    d4197918415ed464b016e2c0c86772b1c62d05ff501b3e96f5fa59d5f7e5bcb1

  • Size

    752KB

  • Sample

    240519-bema3sab92

  • MD5

    5d5acbd67df19917d67288f84ff7b829

  • SHA1

    a9f4c16b95b1056730125375b5162586b3daa440

  • SHA256

    d4197918415ed464b016e2c0c86772b1c62d05ff501b3e96f5fa59d5f7e5bcb1

  • SHA512

    607ba3e608b263a1f1cd5ca8865619b3942eb6fbe6ee6f7a83488949e68e9d5fde37c3a8556b7747365edd73a0bc069392f108750349fdd423be1e1a12d9c812

  • SSDEEP

    12288:vhE2iNT/SHqRo60GwgM9bEDAN6wLgRD1ittXvQTZVOAGia:ve1cHGo65wlNrgBqyz1G

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      d4197918415ed464b016e2c0c86772b1c62d05ff501b3e96f5fa59d5f7e5bcb1

    • Size

      752KB

    • MD5

      5d5acbd67df19917d67288f84ff7b829

    • SHA1

      a9f4c16b95b1056730125375b5162586b3daa440

    • SHA256

      d4197918415ed464b016e2c0c86772b1c62d05ff501b3e96f5fa59d5f7e5bcb1

    • SHA512

      607ba3e608b263a1f1cd5ca8865619b3942eb6fbe6ee6f7a83488949e68e9d5fde37c3a8556b7747365edd73a0bc069392f108750349fdd423be1e1a12d9c812

    • SSDEEP

      12288:vhE2iNT/SHqRo60GwgM9bEDAN6wLgRD1ittXvQTZVOAGia:ve1cHGo65wlNrgBqyz1G

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks