General

  • Target

    ac3bbd26f4ea882881a374b7dd27edfd929af320b895d75f459bc0bdea484cfc

  • Size

    583KB

  • Sample

    240612-chcfqaydkl

  • MD5

    585b341e172782d1d1e6306114802b2c

  • SHA1

    d63d3f3919beac3a6988cf6fbc1bb40432afeec9

  • SHA256

    ac3bbd26f4ea882881a374b7dd27edfd929af320b895d75f459bc0bdea484cfc

  • SHA512

    5b84870d98bf66e7171695b9dd55eedef29da4b4a40d8aff3417c7f191c73ae76cf06a2de53963d1972ee5e1003210400b824cd6e4b55fdbb270365004a1b79a

  • SSDEEP

    12288:wd5VRAsY7C5STjBlnHXsy5ZsC1yg5yMS5KDaPWtZMHTnTN0EgL3gxxF:wdfx5UjnH8ovo+LcnTiA

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.pakdisco.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Pakdis123@

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      ac3bbd26f4ea882881a374b7dd27edfd929af320b895d75f459bc0bdea484cfc

    • Size

      583KB

    • MD5

      585b341e172782d1d1e6306114802b2c

    • SHA1

      d63d3f3919beac3a6988cf6fbc1bb40432afeec9

    • SHA256

      ac3bbd26f4ea882881a374b7dd27edfd929af320b895d75f459bc0bdea484cfc

    • SHA512

      5b84870d98bf66e7171695b9dd55eedef29da4b4a40d8aff3417c7f191c73ae76cf06a2de53963d1972ee5e1003210400b824cd6e4b55fdbb270365004a1b79a

    • SSDEEP

      12288:wd5VRAsY7C5STjBlnHXsy5ZsC1yg5yMS5KDaPWtZMHTnTN0EgL3gxxF:wdfx5UjnH8ovo+LcnTiA

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • UAC bypass

    • Windows security bypass

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks