General

  • Target

    b4db822fef33feb78cf74c835c5bb0ade28759d4c5d2ced9cdb410e472bab6cc.exe

  • Size

    723KB

  • Sample

    240612-cgbg2aycrf

  • MD5

    b0fb3afb79202119f008039e193e3066

  • SHA1

    c5b5afc6a5d061d205ca5f3e08f6e6bcabd3a4e9

  • SHA256

    b4db822fef33feb78cf74c835c5bb0ade28759d4c5d2ced9cdb410e472bab6cc

  • SHA512

    00cd06d946119ae8083eb6789985887e4ec8545d0e348823ca90e311b3c6e0df10a2189251d5a33ec21ed54822a36da84f82a1bce8fb7c4825b2c9249a2cbb97

  • SSDEEP

    12288:OX0pxPV36Di8BtLaygAJWFpkgBsRW3ixBKGcd4bc/UkaBSdcJkGu2IqaBAhG3MRZ:tBFKYkJPgeKVGcCEV/d4kGu2I3yP/

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      b4db822fef33feb78cf74c835c5bb0ade28759d4c5d2ced9cdb410e472bab6cc.exe

    • Size

      723KB

    • MD5

      b0fb3afb79202119f008039e193e3066

    • SHA1

      c5b5afc6a5d061d205ca5f3e08f6e6bcabd3a4e9

    • SHA256

      b4db822fef33feb78cf74c835c5bb0ade28759d4c5d2ced9cdb410e472bab6cc

    • SHA512

      00cd06d946119ae8083eb6789985887e4ec8545d0e348823ca90e311b3c6e0df10a2189251d5a33ec21ed54822a36da84f82a1bce8fb7c4825b2c9249a2cbb97

    • SSDEEP

      12288:OX0pxPV36Di8BtLaygAJWFpkgBsRW3ixBKGcd4bc/UkaBSdcJkGu2IqaBAhG3MRZ:tBFKYkJPgeKVGcCEV/d4kGu2I3yP/

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks