General

  • Target

    2d259c3a113d936af64d69f19d3cc5252625ab45fdc8c9d7b69bb44c86fcd94f

  • Size

    610KB

  • Sample

    240519-bes4maac22

  • MD5

    f5a0464b072def60e6366abb81b05252

  • SHA1

    84c68024791ce11648d4ec363c8703ce03037fb3

  • SHA256

    2d259c3a113d936af64d69f19d3cc5252625ab45fdc8c9d7b69bb44c86fcd94f

  • SHA512

    4a803b0638011bc6948a3e97b6dc0015ca592b316be77e4482235777f0da2a82e57ed8ee98de2f651fc816fdbc395c3a1dcdf688b55fd355ff50c54316d4175a

  • SSDEEP

    12288:yRfHhxVzsP5wzyNwv5gs3MjeNPq0wKrCHrT3GQzRVPUYvV3L2dXEg:yXxU5wzaktc4PEWCHfGQzbPfvFydXEg

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      2d259c3a113d936af64d69f19d3cc5252625ab45fdc8c9d7b69bb44c86fcd94f

    • Size

      610KB

    • MD5

      f5a0464b072def60e6366abb81b05252

    • SHA1

      84c68024791ce11648d4ec363c8703ce03037fb3

    • SHA256

      2d259c3a113d936af64d69f19d3cc5252625ab45fdc8c9d7b69bb44c86fcd94f

    • SHA512

      4a803b0638011bc6948a3e97b6dc0015ca592b316be77e4482235777f0da2a82e57ed8ee98de2f651fc816fdbc395c3a1dcdf688b55fd355ff50c54316d4175a

    • SSDEEP

      12288:yRfHhxVzsP5wzyNwv5gs3MjeNPq0wKrCHrT3GQzRVPUYvV3L2dXEg:yXxU5wzaktc4PEWCHfGQzbPfvFydXEg

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • UAC bypass

    • Windows security bypass

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks