General

  • Target

    874f7647b014cbe79481dcb811ce8bb058f1a157a6694d1fdfd9470388ce9f90.rar

  • Size

    652KB

  • Sample

    240609-mfbfraaa57

  • MD5

    ac5305b1ad7838f1afe1a6ea91890039

  • SHA1

    9815a84ab513a2ba133bc1ff88e9a33382ce9e04

  • SHA256

    874f7647b014cbe79481dcb811ce8bb058f1a157a6694d1fdfd9470388ce9f90

  • SHA512

    69b3da1710bf52d8b164571fb8f948b6156f4d729d1b8f12f7fb256c5b9896238637ee9bcb0f4327927b8e8036f93eae260cbabf6bfae6357b6496727915ca26

  • SSDEEP

    12288:/RzVgLligymUkIjhCG6MnKgdZMzJF3TP+on8oDQQRrKCPTDBlEmZYpcTduw2ZSkb:pz8lTX1GRNdQ/Pts4rKUEtL83C

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      SOA pdf.exe

    • Size

      717KB

    • MD5

      0e928f8ca2a45826211c1e02c9ae09f8

    • SHA1

      502ba9469f174b8ae062278be8ca847616d4e0f8

    • SHA256

      3c4a6a16a5d8679e83400b100265e0513f5993e513d5f17c875976b09cd1bf25

    • SHA512

      1ae4d75d15026e3277b42918756b1bc7a91960811136af4672ca48c9b943279b4ff22be4382275629693ae9f17b0c3e95ac1ade95c5bf167086015478aca4ca4

    • SSDEEP

      12288:I3qyJMM/F1KswrqeiQgLI/VvH8WX1wMVeARbNPnN9jXBOQS6XczZLK4I7ukDkR:I6ON1KAYVvH8inwARbNPNNX3VMBK41kW

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks