General
-
Target
2c243d31fa812a2b4d5522a910aff736421c09a28622a95df6be257f6817a75c
-
Size
2.3MB
-
Sample
240522-b24hwagd9z
-
MD5
2dd83e57578f45f7e71f53da4895de17
-
SHA1
bfb1c366ece2d1f6e645356b64c63425dc973140
-
SHA256
2c243d31fa812a2b4d5522a910aff736421c09a28622a95df6be257f6817a75c
-
SHA512
1951e94895ade59fdf059a6c0c8a3142072e76882da91e83c36a950a39f263ae82281b0831e50e4dc596e7a767161cf54e04a1dda64c8fa4891ebc0e8696baa3
-
SSDEEP
24576:+J/fwRx5DOae9+2hNqt6g/aX2uPy9zC0ujBlMPEUYL3Ypji43jx/Et0hXWrdmApc:DDr2fqsKaX2aeuoMUfnRE7V7CG+/B9ck
Static task
static1
Behavioral task
behavioral1
Sample
2c243d31fa812a2b4d5522a910aff736421c09a28622a95df6be257f6817a75c.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2c243d31fa812a2b4d5522a910aff736421c09a28622a95df6be257f6817a75c.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.medicalhome.com.pe - Port:
587 - Username:
[email protected] - Password:
MHinfo01 - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.medicalhome.com.pe - Port:
587 - Username:
[email protected] - Password:
MHinfo01
Targets
-
-
Target
2c243d31fa812a2b4d5522a910aff736421c09a28622a95df6be257f6817a75c
-
Size
2.3MB
-
MD5
2dd83e57578f45f7e71f53da4895de17
-
SHA1
bfb1c366ece2d1f6e645356b64c63425dc973140
-
SHA256
2c243d31fa812a2b4d5522a910aff736421c09a28622a95df6be257f6817a75c
-
SHA512
1951e94895ade59fdf059a6c0c8a3142072e76882da91e83c36a950a39f263ae82281b0831e50e4dc596e7a767161cf54e04a1dda64c8fa4891ebc0e8696baa3
-
SSDEEP
24576:+J/fwRx5DOae9+2hNqt6g/aX2uPy9zC0ujBlMPEUYL3Ypji43jx/Et0hXWrdmApc:DDr2fqsKaX2aeuoMUfnRE7V7CG+/B9ck
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1