General

  • Target

    0881d50ec07e04e73ed8db5ecf9490ecdaeec167e28d01eb22aeee4f1e77e396.arj

  • Size

    637KB

  • Sample

    240604-bdl9paff4t

  • MD5

    d593b0d56c5d1d9220a9c293e3e5d093

  • SHA1

    38d28d04664f191d5f537cdc9637e1a1fae1939e

  • SHA256

    0881d50ec07e04e73ed8db5ecf9490ecdaeec167e28d01eb22aeee4f1e77e396

  • SHA512

    ae27758714aa9cc40b099f98a23b0b1c3052d494f8ad687b829359d84c51eb6d18506cd4b0ee18b5ce5a9f2a2640d8bb2ec3ededb00a753498e15ab72efc6f5f

  • SSDEEP

    12288:zVFRwWXxL+GOxxkAdakd92aovxfkPVpun6ayy8Jfld2ysiw9dfBPY:/xL+GOLweH6MLu6ayy8XyikBA

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      EA1205-24-25607 QUOATATION.exe

    • Size

      698KB

    • MD5

      a5600816a7e60f1ac466eb56bbfbbbd4

    • SHA1

      05735b0f2503a5f55cd3799306d80540558c86bf

    • SHA256

      031c712370f6c655fdd1e11f2eecae2065106e3f6588415dd9dfb42914e557ec

    • SHA512

      78a02f32113b1a29ad802501613db14920032ccca5ee5c2b29ab6963e624fb9cfa1ca95ba0196a327024e7e7f33bdeea9affcba701e31832d421e6aacfeed2ce

    • SSDEEP

      12288:7MEKt/rFfalC4RfSHvsgZwTu1ibmUSEBUbrB4zXrw0Nii2g6ZjFdNw+vRiRyrXPe:tKN5iljRfWF/UsrmzzQFLw+QkJlWJ

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks