General

  • Target

    b701bf37269733703c98781507453ff72ee36b7882d35ffc6717e1eb67b4212b.exe

  • Size

    850KB

  • Sample

    240604-b8fqdshh58

  • MD5

    7b6cc45ab91112f8fc9ad6d225028260

  • SHA1

    8d3d248367b3245e7514c2d62887c72622ecf669

  • SHA256

    b701bf37269733703c98781507453ff72ee36b7882d35ffc6717e1eb67b4212b

  • SHA512

    73a550c19c575710ff4c06cd2ce03b76c94a9dc14be1ce5160ca16fd797b187c6b2dc4aefa4e9d20e12d1b804700985f702ba2e50af34f381a125239da64d900

  • SSDEEP

    12288:vMYeaky/Qa0KP1x+kPwu9JoTO8DLt/rFfasNyCEMxg6zhAr/kHLrHLtq1y34ms6:vMYeFOON5isNyCEMxHhzHLPtq834ms6

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      b701bf37269733703c98781507453ff72ee36b7882d35ffc6717e1eb67b4212b.exe

    • Size

      850KB

    • MD5

      7b6cc45ab91112f8fc9ad6d225028260

    • SHA1

      8d3d248367b3245e7514c2d62887c72622ecf669

    • SHA256

      b701bf37269733703c98781507453ff72ee36b7882d35ffc6717e1eb67b4212b

    • SHA512

      73a550c19c575710ff4c06cd2ce03b76c94a9dc14be1ce5160ca16fd797b187c6b2dc4aefa4e9d20e12d1b804700985f702ba2e50af34f381a125239da64d900

    • SSDEEP

      12288:vMYeaky/Qa0KP1x+kPwu9JoTO8DLt/rFfasNyCEMxg6zhAr/kHLrHLtq1y34ms6:vMYeFOON5isNyCEMxHhzHLPtq834ms6

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks