General

  • Target

    shipping documents.rar

  • Size

    684KB

  • Sample

    240603-gwf4aafd54

  • MD5

    1c88aa02d39e35a3a3fa7cb817ecfd85

  • SHA1

    fec7dfbacdb79e14e080f513c8cb2298cfab35c1

  • SHA256

    abc1ab2d94c3bf032086a2428825c22ba00b3654c6c6aae9bcc36d9c6050a535

  • SHA512

    a9a17b52d56f21fb6cb2de7fc3f022137224e4c90b1668b187f885b57e8774bedffe4078fc5c511bc78e0703b65e46ea8ca1d57a02f7b71a005a66d2fdc1992d

  • SSDEEP

    12288:+zMdUngKgdR2on62yTxkCzeiHFAgrik4UI4szNvd3EKd2iTVuZThrZKrgvzal:+AE1gdEoTyTneilruTW4VuVhrEMvzal

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      shipping documents.exe

    • Size

      721KB

    • MD5

      11bdbb99b474b15e0b04e488061e9256

    • SHA1

      db8bcdd61414f1388f455e8b4ce6ae5554ca38f3

    • SHA256

      05b60524cb82eb522b46db014a5ec190e35d9fd433e7624232b53f142b3ed1a1

    • SHA512

      558f471c17b3b701e059514002155a4f4d71dbe9159ebc5326f158a7fda241ae6445139899af5db663bd0ee2fcd5c952f7b248a2486be354b32d155ca503ed5f

    • SSDEEP

      12288:zPO4mPK3Rx2Mewaliv+ilMkLbjfm2HV5gos04pG7PaD3H4lN3179DoDq74nXetkR:i4m02MewWivqkLbjfmQV4077yjH4f3Vu

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks