General

  • Target

    553ff1a6d805c5bc4001fe69e6bbf70859ebf43dcd6eba63913eb588ec4e4617.exe

  • Size

    683KB

  • Sample

    240612-bval8axfmk

  • MD5

    aebb548e083bbb78251851d3ff149bcc

  • SHA1

    0be016e7487657888bd2b2e71fd1c1d8db1e0edc

  • SHA256

    553ff1a6d805c5bc4001fe69e6bbf70859ebf43dcd6eba63913eb588ec4e4617

  • SHA512

    a4a68e8e5bacd79ff80febdc9eb38a45ed38dc1a1738a29b5362588bc2c607c2c52c6388e5c42189e58cb4db1a8fe360d2899e37b244a100529672d6787b85ea

  • SSDEEP

    12288:6VOBA7sOJsMbPdhOpEYhzQnJdzTjGqK6b3qtD9XNt5/ycdzdULpMqyJMNBeCpkR:qqAYOJZbPdTYhzQJdXTFTibdZUtOf

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      553ff1a6d805c5bc4001fe69e6bbf70859ebf43dcd6eba63913eb588ec4e4617.exe

    • Size

      683KB

    • MD5

      aebb548e083bbb78251851d3ff149bcc

    • SHA1

      0be016e7487657888bd2b2e71fd1c1d8db1e0edc

    • SHA256

      553ff1a6d805c5bc4001fe69e6bbf70859ebf43dcd6eba63913eb588ec4e4617

    • SHA512

      a4a68e8e5bacd79ff80febdc9eb38a45ed38dc1a1738a29b5362588bc2c607c2c52c6388e5c42189e58cb4db1a8fe360d2899e37b244a100529672d6787b85ea

    • SSDEEP

      12288:6VOBA7sOJsMbPdhOpEYhzQnJdzTjGqK6b3qtD9XNt5/ycdzdULpMqyJMNBeCpkR:qqAYOJZbPdTYhzQJdXTFTibdZUtOf

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks