General

  • Target

    344708b93ece74c0fe93ed34191ee43aebccde3d6ef7f2c8c62e67018acddc97

  • Size

    766KB

  • Sample

    240612-b61yjsybjl

  • MD5

    e88263dfdc0928a1fd261c3893cf9a2d

  • SHA1

    cfdbf47435e6e49e31d0cbdd086db81f7aa34e80

  • SHA256

    344708b93ece74c0fe93ed34191ee43aebccde3d6ef7f2c8c62e67018acddc97

  • SHA512

    41c16ed89c27548f008a207e15fef2c72212c646b9ce56e41083d7cfb9aac3f9e7c3d04dfba1ccec1c9c58a4da80e3666e7a432d40b21413c555987220916040

  • SSDEEP

    12288:U4NID3HH3DI+eWFy4q5dAiawpaFwKTFcwXqauSL09G/MxwbaO9jsqf9Xe:XNIjH3DIP0y4q6wpa2sFWauCMi3Nf9e

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      344708b93ece74c0fe93ed34191ee43aebccde3d6ef7f2c8c62e67018acddc97

    • Size

      766KB

    • MD5

      e88263dfdc0928a1fd261c3893cf9a2d

    • SHA1

      cfdbf47435e6e49e31d0cbdd086db81f7aa34e80

    • SHA256

      344708b93ece74c0fe93ed34191ee43aebccde3d6ef7f2c8c62e67018acddc97

    • SHA512

      41c16ed89c27548f008a207e15fef2c72212c646b9ce56e41083d7cfb9aac3f9e7c3d04dfba1ccec1c9c58a4da80e3666e7a432d40b21413c555987220916040

    • SSDEEP

      12288:U4NID3HH3DI+eWFy4q5dAiawpaFwKTFcwXqauSL09G/MxwbaO9jsqf9Xe:XNIjH3DIP0y4q6wpa2sFWauCMi3Nf9e

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks