General

  • Target

    1d6a60d84172996ec0c6e86d63936858c1250ba45917e6036289de0395e5dfc6

  • Size

    1.2MB

  • Sample

    240612-bnl2nsxdra

  • MD5

    c1aa587e5098d163df3ebf7df8aef903

  • SHA1

    79b890440cd1393faa497f0f633f87e19fde4375

  • SHA256

    1d6a60d84172996ec0c6e86d63936858c1250ba45917e6036289de0395e5dfc6

  • SHA512

    c6eb1d8019ad7b09d59a248c7a3e752e609457edacb3e73b4c80ba7156f47c7d69449fd14d0a042c385e10986defa04d0e571311f4faa65ba10b0c5d037e8d5b

  • SSDEEP

    12288:dxuis19r2PFfAyiD2+YLdqOICghxPJd/9p/wXyEn/EKDEm:dxjs1d2VATy+sdqO4djIXyMD

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      RFQ-7448987655788986757937.exe

    • Size

      2.1MB

    • MD5

      c9bfc30fc5fd70bd5d5b6e6997978870

    • SHA1

      6ca99e9f5743257cf45d2d2e31612eabb012806c

    • SHA256

      9bef0bc36f9dd413a45a2b2b90edfe1acce5645bb97e556cfe1b1c1fbaa22933

    • SHA512

      ee5c1e3c99d48dee0b35943fc8d3ef35a950a5fcbf41c9086c1341c1e579418be1a4bf10eaeb9db1aa9da0683e74ae4b88f04443544c28ab0bab1fef57247cf6

    • SSDEEP

      12288:gBRr2PXFAyiDAQY1dqEICg9xP9dp9p3wXy2n/YK1Eg3:y21ATEQwdqEWdRgXyo1F

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • UAC bypass

    • Windows security bypass

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks