General

  • Target

    470559644da70ca1f1c631e01457898ab7eee09a0ffef4eb3f84d6b2afc0bd62

  • Size

    641KB

  • Sample

    240604-bgx6csfg7x

  • MD5

    1f71fde2c0bc1ed02e6226401be5716d

  • SHA1

    a7d84f3cb9e8d2163b4b26604ef2e28fcfed16fb

  • SHA256

    470559644da70ca1f1c631e01457898ab7eee09a0ffef4eb3f84d6b2afc0bd62

  • SHA512

    22a46c3eb8978ff22290d799fe7994973dadafe27ca3bf713a88f7b97f230f2564fc6006aabd36c7c8fae18bd8d8489920a31b30e1da103bddadeda5ea5117e9

  • SSDEEP

    12288:gpzkfPDo1FYqpAKAwm8g/oR5Haw7xdsNrQxc1rBVGAcnCO3k:+AnDofLDm81R13dsZ1sQ

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      ORDER INVOICE.exe

    • Size

      702KB

    • MD5

      8ed2d8c9c2672b58e4be6fe4ae1cff4d

    • SHA1

      0ed9b9d546d8c1d14d9756b5a490bd48221fc7e8

    • SHA256

      16fb45f6a5200f9cc9287ca597f26feff08ad9ea2987fd49a5703f985963ff59

    • SHA512

      b130c9035305d0a1c82d9a4e36c36130a9136270c22abf7bb8b225e4321ba3905c0acd8b7a90a3b2f3e5a5fe458f85bb33af071464927323b400156eba690b23

    • SSDEEP

      12288:qzy60t/rFfaWYqWVJzzxo/fZ1YAK2OIByOGUQxcZrBVGQi7T+70U:c70N5iWUZo3Z1ZeInGcZ3i7Ti

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks