General

  • Target

    fcaaf8296552e9a4bb23f21e2c88801c3783a163626b44b6cef6e17bbde07bf0.exe

  • Size

    731KB

  • Sample

    240521-b7271aef6x

  • MD5

    81cb8ea8d9b46383fcb2a1a46e8b88bc

  • SHA1

    9eb657a5d0836dbc323fc3c129e133c14f99d7d1

  • SHA256

    fcaaf8296552e9a4bb23f21e2c88801c3783a163626b44b6cef6e17bbde07bf0

  • SHA512

    8620f2376ca0ae293e9eebb8335e2fe63cf420ddfe00de4f0532424e816ced1e64eef314c02f4f74b9cb4f82a86f543dc435dcb92e6ad2d3dad949e5a258c705

  • SSDEEP

    12288:bYWET/mr9KfW+G84wBj5J3MvgHUgwszbpy+uPnO/FdPa4g+m/bb821RMSQkR:bYWtjV+J8oHUgwszc+uPaPnO/bbJJ

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      fcaaf8296552e9a4bb23f21e2c88801c3783a163626b44b6cef6e17bbde07bf0.exe

    • Size

      731KB

    • MD5

      81cb8ea8d9b46383fcb2a1a46e8b88bc

    • SHA1

      9eb657a5d0836dbc323fc3c129e133c14f99d7d1

    • SHA256

      fcaaf8296552e9a4bb23f21e2c88801c3783a163626b44b6cef6e17bbde07bf0

    • SHA512

      8620f2376ca0ae293e9eebb8335e2fe63cf420ddfe00de4f0532424e816ced1e64eef314c02f4f74b9cb4f82a86f543dc435dcb92e6ad2d3dad949e5a258c705

    • SSDEEP

      12288:bYWET/mr9KfW+G84wBj5J3MvgHUgwszbpy+uPnO/FdPa4g+m/bb821RMSQkR:bYWtjV+J8oHUgwszc+uPaPnO/bbJJ

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks