General
-
Target
PI_230524.exe
-
Size
531KB
-
Sample
240523-s4r2asgb44
-
MD5
fe3bcba4cdc4ae741ee54de500496669
-
SHA1
e27ac7c118efb35b85abf8dc4300a6291737dea2
-
SHA256
86d74d655679ee232b8fcf1a0013a17972b6b93aed25ae8beccd5864a9a1ecbe
-
SHA512
d337947fcb86f48b30e676b105c584811723dacf16ce3af4cdac70607a239d9b5aaf93b0abd54754cc7801cac7a86fd7da293655d0dcfa4de32147df75ae9ff8
-
SSDEEP
6144:+Y8i9d6ihOq761Mymf40IoBdLlNZ4DYvP+TV5lKiecmMlGvtClbUpEjoltWucv:8K6+L761MymflCYX+EixjlGHu8ltWuq
Static task
static1
Behavioral task
behavioral1
Sample
PI_230524.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
PI_230524.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.showpiece.trillennium.biz - Port:
587 - Username:
light@showpiece.trillennium.biz - Password:
]2p65r?5jH32 - Email To:
build@showpiece.trillennium.biz
Targets
-
-
Target
PI_230524.exe
-
Size
531KB
-
MD5
fe3bcba4cdc4ae741ee54de500496669
-
SHA1
e27ac7c118efb35b85abf8dc4300a6291737dea2
-
SHA256
86d74d655679ee232b8fcf1a0013a17972b6b93aed25ae8beccd5864a9a1ecbe
-
SHA512
d337947fcb86f48b30e676b105c584811723dacf16ce3af4cdac70607a239d9b5aaf93b0abd54754cc7801cac7a86fd7da293655d0dcfa4de32147df75ae9ff8
-
SSDEEP
6144:+Y8i9d6ihOq761Mymf40IoBdLlNZ4DYvP+TV5lKiecmMlGvtClbUpEjoltWucv:8K6+L761MymflCYX+EixjlGHu8ltWuq
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1