General

  • Target

    1d77439d7d79954a16a0b6f8f3bff0e3d5b079c3ff602641a4b6fa24ea2f2da7.zip

  • Size

    661KB

  • Sample

    240609-lvsg5shf92

  • MD5

    b3440f88bef755f9063f6eadf54dbc48

  • SHA1

    0846ffda47a30f42dbc2f806fc2bab890077f41c

  • SHA256

    1d77439d7d79954a16a0b6f8f3bff0e3d5b079c3ff602641a4b6fa24ea2f2da7

  • SHA512

    c890d496c1569ae326e43dbb7e93c9ecda520a66ad84da083abc09294e2472ca55882068f080653a43930d7c62f84d7a1776d3a1945f88645e2841cbe29f6086

  • SSDEEP

    12288:utaYIgogJx1jSbAqycgWRXp5xw0hlqus7cneT3oQLOVaOx3dom0bRMqJ:OabgogJxc0qycJRXp5xlhsc1sJ

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      AWB#5305323204643.exe

    • Size

      785KB

    • MD5

      34c09836453951d6b12dc61c69c2e23a

    • SHA1

      8c75f57b9929fcc4dc3005d092268a0589fcdab9

    • SHA256

      d5a64294b4a47e260bf84a9819474e15fa6ffe9ee515a5db68967fd2837f9f1d

    • SHA512

      9290671794704bac01454571468ff365004521ab4fa14bb32d9f12de868e23987d2ad7ba33ae3c6cddb295a453361209a2c4ec1fc85efaf916e2f32575b37387

    • SSDEEP

      24576:avRC3c6GxY0hbtGs1KpG836sqg+aIymzK7PgtY+VTYC:a5NY0hZGs1K+sqgN/EKbgtY+VTY

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks