General

  • Target

    df7e0727a02af0009d47c5b3c978b511c7e1079da8b1c29b15650fdccab203a6

  • Size

    689KB

  • Sample

    240612-cd8claycmf

  • MD5

    c0cfb4564f58f95f4f451c906075545c

  • SHA1

    054601b9ebe4ad53d001cf826039c9c805675dc7

  • SHA256

    df7e0727a02af0009d47c5b3c978b511c7e1079da8b1c29b15650fdccab203a6

  • SHA512

    6511288dfa7361e6d7ced7ba443aa86e6431173607905dd54cdce3e578dbd1c9237dcf71a95c49bba600fc5c598fe2152343606b71437f478ca347dbcdd23db1

  • SSDEEP

    12288:rOidIlbPNLgEDIu8VQrXrrQWcqbINiigM7PnaQSzBbBAH0YbX6gUTAPgnQCp:rTd8EEDWQ7ApqbIsigMLLSF1K0YugO4E

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Swift Advice.exe

    • Size

      751KB

    • MD5

      e6b7493437b908e9d81f7aa0c477fa60

    • SHA1

      3cf0249d2239a9b73146e505d3a09d350f43ff3d

    • SHA256

      2ca6ab9b5571aef408c1f47e4a3802834283b97fd2a75c0e6f675d92fe2b322f

    • SHA512

      148696e8bd3da3f7ed504e8ea4c4bef6dade456863451c553eafae0231ee978bc621730c0770f4e3cd25a3716e36938c80a31fa8d5a12eb318ab20f8e062f44d

    • SSDEEP

      12288:8qxcZsfQrHrrQWoqbINii6MvPNaQSzBfBAl0YBMpACR5leZlNm:iZUQjALqbIsi6MHlSF5e0YKpA+erY

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks