General
-
Target
92ff947058fa4ce4d1ee055578b409e96ac039175a0089942078009dc4880d6d
-
Size
782KB
-
Sample
240521-bz42madh95
-
MD5
731dc01c999ccaaea3daf9f70dca56c6
-
SHA1
17861a9dfc84cb7b25b01aa35a38e50a5246ada4
-
SHA256
92ff947058fa4ce4d1ee055578b409e96ac039175a0089942078009dc4880d6d
-
SHA512
158f3173717e546e8aa61fbef3b4a8f87e0d87dba7e75e5388c0f2561866cf551116fa3d788f23cda1a412440cbdac18db4121703d332d9bb8a4fbe326a5fe6f
-
SSDEEP
24576:Ey3yRqbqNgIZmtxXT8e+JHa43Tg3FGhEmGE:E0yECgIctwM3rM
Static task
static1
Behavioral task
behavioral1
Sample
April Accounting Ledger.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
April Accounting Ledger.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.skitz.com.ng - Port:
21 - Username:
[email protected] - Password:
Kosyano1@
Extracted
Protocol: ftp- Host:
ftp.skitz.com.ng - Port:
21 - Username:
[email protected] - Password:
Kosyano1@
Targets
-
-
Target
April Accounting Ledger.exe
-
Size
1.0MB
-
MD5
9b8544c46d581622f7d13513c90960d7
-
SHA1
ab8f26ade5e500fa6b0ad95cf526ef0d163bee04
-
SHA256
f872e441743cc9c85aa611b5060dd2d5b392adf20eae28ff57716a4a64dc96b5
-
SHA512
752b3de1874cac45dd3317fba21260638af77ae0d0d655a787178a798c8ffdaf221ea24963de213912ea6b102d782dc050fdbf54923d190bd5b9e8d1ec6e485d
-
SSDEEP
24576:MzsxWtb3BEvGdb3AQfGZ3TI53jWVeCMSpSpmax:M5ZBEed1Y3kqVeCMeTax
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scripting
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1