General

  • Target

    d6a6b81a066b5b7a8194929ff127f2c125ccba02a6e8a0319a7cca931cd9788a.zip

  • Size

    681KB

  • Sample

    240609-lne88sgh2x

  • MD5

    32e4201c168e59371bb5ad1895fd5f6b

  • SHA1

    268f5254534f282c7a9302ce50b19f89a78b6bb2

  • SHA256

    d6a6b81a066b5b7a8194929ff127f2c125ccba02a6e8a0319a7cca931cd9788a

  • SHA512

    9685eed4f9c3239032bdd6a194068506786adda8deebe8dddcf6282db459f8386fee7986df9c66c7db270562a8b77ffda2971f11441a450a407def014f8a4577

  • SSDEEP

    12288:9unaJW+Nq5jjZOyoiZFrjkrqsE4P24lwEeon7m78bPo7p:rNq5hLoiZGqsibJS7m7ePo7p

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      STATEMENT OF ACCOUNT.exe

    • Size

      779KB

    • MD5

      c3245f5ed1ef3b1fa4065c8cb4cd27c8

    • SHA1

      f3bfaf829add69d1c39a5045fba5faa02b345f20

    • SHA256

      113e56cc0bb3dca13bf13c0e47a25b102b4f8e7af8b156fc7e6fcd76ba40c8ff

    • SHA512

      6a9760e20b5114c56cd31cba377f9fa54812dab6e4e90f533a214b88a519e89c85a84249e02458b7a060635f755833f006134d064b828b73fc3cd36dd228d818

    • SSDEEP

      12288:GQt+5v4c5nvCRzsgfZ+E40r9RqTBtF3Q0XsKNr+u9Y6vdjTOM5H0dG1qqQ24FPzn:0BtF3Q0XLCuy6vpfOeH1eCrXW

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks