General

  • Target

    1#.ace

  • Size

    7KB

  • Sample

    240603-kc4l1sad43

  • MD5

    f50aee74fcda3ea10ee3c2f5d3d75662

  • SHA1

    3a506a6f221ba531b66632670978efddd2be959d

  • SHA256

    5bda2e2623e9c30c9571c974005206a3ebd4e66009069f0105597a9449ff7c57

  • SHA512

    8785aaaff66d5d9b3ed56ba8e1da72cc3aada04a7524f5eacb5f9d45fae01792454ac5e922ea318fb8c76419d592fc751f67c1c1a54c64b7b141110df6074e70

  • SSDEEP

    192:+mBbxe59xTzGyNye05wSi++MY5uNAZN54JA24gZeC33hlSYzLoBX:+my5rzF792+MIuNAZNCJoZCHh8V

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      overdue_invoice.vbs

    • Size

      15KB

    • MD5

      7078829e255df55f25a8bcaa9bdaffb4

    • SHA1

      1bcacd12305661a2dedecb4eb6f8ad57ae5d672e

    • SHA256

      d16ea5d6d40c9020b99032eaefab9b62f3c63bae12d24103a6b10ac5a2dcd34c

    • SHA512

      4d56cc648febb1c0dceb44e41415cb30a9e975997f5d3fa67b97e2a039d6068f383e285daeb39b50eb0b18bd1a1c5c102544f2670e54e3109cff74d6268e1495

    • SSDEEP

      192:ulJUFFdUTxfDs+rHw7FEFggnliEWHxg40HG5Q6MkouP0L3gwJSi3qMFP6WPS6vMy:ulCHkxNrHwhEjiIvkJ8LJRY4Er8saQa

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks