General

  • Target

    5be914c978e8a858a23d07b9c78e506741349369484762bc424b87a8934ff7df.7z

  • Size

    713KB

  • Sample

    240609-mmzrxsab66

  • MD5

    fb097d61328838c3a21e9859f7b6908a

  • SHA1

    b3f9c3ac5429e73377837132cd18f88447bc5738

  • SHA256

    5be914c978e8a858a23d07b9c78e506741349369484762bc424b87a8934ff7df

  • SHA512

    1da2296313d375598c3a7c878ef27babb48827260b48a8c10c15953e25b5d5bc0f25ecdffa10a98d9fb4cb2ef04f4d468de6ba6b9d05060f315928a21fc9fc79

  • SSDEEP

    12288:5zpiZf6+UWweHA8FkEbDmEO35/FrKqZ5dnGN3F8hgriAvSKGiHbZGpEIknyVO6Cp:viZi+WuJiEbSESP+B3F8hloSG9GpEIkV

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      packinglist and shippment.exe

    • Size

      977KB

    • MD5

      1165b11c05474471dc47ff054f8e4398

    • SHA1

      41977ff5db4bac80d999bb8c5d6eceaee6d3b9ea

    • SHA256

      dd566ea9737c75cf44885c842a944952d23abc1fb315867b4f07c3b8f37ce01b

    • SHA512

      3dc9dbb18a581630daa00bc59d7aee668881c5464ab7b32b2bd65d9e80376c4e3d5029cce902c9576c05c58dc8c46b2ddf44e8b8add692b6065287c617a3cc6d

    • SSDEEP

      24576:1ggC3c6a+JXEbSEnORzgF4hWV5ukNaEIkq1BYyS+TigtY+VT3rMxV:1/YJXEbS9FkV5ukNaEL2uySuigtY+VTc

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks