General

  • Target

    document.exe

  • Size

    679KB

  • Sample

    240603-ltyb1aae61

  • MD5

    bb277f03c2e761e03643369ef4d9f1da

  • SHA1

    8f44aa9566f9da9c7086d6da8f080c7a7de52050

  • SHA256

    8054c765c0425811e3632409c6bbd9149fde1de08593796957ca55ead7e9e683

  • SHA512

    e5d754214062f9f7767116d9aaa23abf70094a113cd682d257c145ca7e0825d344259149087df4dfee14ead93e61b476c2135522a859d8720d625a5693846cf0

  • SSDEEP

    12288:m67FxhThagHCN1x2W6BU8KbYJ6BrBpz86Q5NxdDHEYMxVhmaAkgBzJzmh:pDhThagq1/60bYG1pz8LN+hmacBNzmh

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      document.exe

    • Size

      679KB

    • MD5

      bb277f03c2e761e03643369ef4d9f1da

    • SHA1

      8f44aa9566f9da9c7086d6da8f080c7a7de52050

    • SHA256

      8054c765c0425811e3632409c6bbd9149fde1de08593796957ca55ead7e9e683

    • SHA512

      e5d754214062f9f7767116d9aaa23abf70094a113cd682d257c145ca7e0825d344259149087df4dfee14ead93e61b476c2135522a859d8720d625a5693846cf0

    • SSDEEP

      12288:m67FxhThagHCN1x2W6BU8KbYJ6BrBpz86Q5NxdDHEYMxVhmaAkgBzJzmh:pDhThagq1/60bYG1pz8LN+hmacBNzmh

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks