General

  • Target

    Requirement Specification.exe

  • Size

    3.4MB

  • Sample

    240603-lw4xkabh66

  • MD5

    86b91372dc46212aa7f5310339a6f7f3

  • SHA1

    ddfd08661f0f3a515c3802cf3042b002d1748d53

  • SHA256

    564d2275edd8f622be6717d156c627a346f330549ca2f266985e49a4e5e17204

  • SHA512

    6f2dfbb44854f6021752691d3c4328cdd6b40695fc923b0c28f8432d8c9d4fa217e75dce067ed86a58f8d8e424593035fb3084bee5a1b6b29fa5b872e1211210

  • SSDEEP

    49152:h8yJAk206NICMq5pzKRgqVzKfxgF2/yjmQkk2:2Bsb/kk2

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Requirement Specification.exe

    • Size

      3.4MB

    • MD5

      86b91372dc46212aa7f5310339a6f7f3

    • SHA1

      ddfd08661f0f3a515c3802cf3042b002d1748d53

    • SHA256

      564d2275edd8f622be6717d156c627a346f330549ca2f266985e49a4e5e17204

    • SHA512

      6f2dfbb44854f6021752691d3c4328cdd6b40695fc923b0c28f8432d8c9d4fa217e75dce067ed86a58f8d8e424593035fb3084bee5a1b6b29fa5b872e1211210

    • SSDEEP

      49152:h8yJAk206NICMq5pzKRgqVzKfxgF2/yjmQkk2:2Bsb/kk2

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks