General

  • Target

    ff88046e7a20294b52aeba5ede8dcf3a00806135635c24ef4af8d496e455a7c3

  • Size

    1.6MB

  • Sample

    240612-bwk5caxfqk

  • MD5

    cfccda29d5a911a41b9a43da36f26fb8

  • SHA1

    9b2f0fb6c1a3bec3a5a78cf5232aca66a068dcdc

  • SHA256

    ff88046e7a20294b52aeba5ede8dcf3a00806135635c24ef4af8d496e455a7c3

  • SHA512

    8e6018fb3fc1d61905eec17a476b231a29d006b8946db02a18ed1241c5a822f9b64ecef6452c799e1252bdc866e91aeb5c9bfd4411980f9fad2b8e7c430bd085

  • SSDEEP

    12288:tQtB/yt7l6/CNYLQ9S5StSkjes4WCtdSgXv7fGTK32x:qtBER0CNHIujPFk3gKmx

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      ff88046e7a20294b52aeba5ede8dcf3a00806135635c24ef4af8d496e455a7c3

    • Size

      1.6MB

    • MD5

      cfccda29d5a911a41b9a43da36f26fb8

    • SHA1

      9b2f0fb6c1a3bec3a5a78cf5232aca66a068dcdc

    • SHA256

      ff88046e7a20294b52aeba5ede8dcf3a00806135635c24ef4af8d496e455a7c3

    • SHA512

      8e6018fb3fc1d61905eec17a476b231a29d006b8946db02a18ed1241c5a822f9b64ecef6452c799e1252bdc866e91aeb5c9bfd4411980f9fad2b8e7c430bd085

    • SSDEEP

      12288:tQtB/yt7l6/CNYLQ9S5StSkjes4WCtdSgXv7fGTK32x:qtBER0CNHIujPFk3gKmx

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • UAC bypass

    • Windows security bypass

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks