General

  • Target

    STATEMENT OF ACCOUNT.exe

  • Size

    865KB

  • Sample

    240603-lcpnjabc45

  • MD5

    f76b4b71b1686a349e4f3c5770b27449

  • SHA1

    1c033d5efb45f05d04ec962edd1d626149a0630c

  • SHA256

    d46dd8b1ef453a087501831daa8ceddd875ad06a7f13ad06181f61f92e89d96a

  • SHA512

    c82148c639149675da30cb638ce401d4f8cfd84ede59e6ce2e4c93585632be401d19bd18a833b6b8a939aa9fddf97f83799a5de2ff986ecfa0bb8ef98ec5ae1d

  • SSDEEP

    24576:AMYeI6ZN5iYnadY8GsO98B08izf1nl0aq:AMYeXN5i2ChGSB0dnlq

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      STATEMENT OF ACCOUNT.exe

    • Size

      865KB

    • MD5

      f76b4b71b1686a349e4f3c5770b27449

    • SHA1

      1c033d5efb45f05d04ec962edd1d626149a0630c

    • SHA256

      d46dd8b1ef453a087501831daa8ceddd875ad06a7f13ad06181f61f92e89d96a

    • SHA512

      c82148c639149675da30cb638ce401d4f8cfd84ede59e6ce2e4c93585632be401d19bd18a833b6b8a939aa9fddf97f83799a5de2ff986ecfa0bb8ef98ec5ae1d

    • SSDEEP

      24576:AMYeI6ZN5iYnadY8GsO98B08izf1nl0aq:AMYeXN5i2ChGSB0dnlq

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks