General

  • Target

    5fcf51d8f789ac7b52a3a3c8a134663483710fcde461ed101e87708282b673fb

  • Size

    639KB

  • Sample

    240612-ckfadsydnj

  • MD5

    fa20ff9c5380516b8755de1b2ab0b15e

  • SHA1

    3ebbea075575853586c51f27e642c79a0b148e87

  • SHA256

    5fcf51d8f789ac7b52a3a3c8a134663483710fcde461ed101e87708282b673fb

  • SHA512

    8fda98c8d33586f2753cb072ddadb0ed7ea83c9e1139c51d348896b164bc7d8f60f25499fd07b8b72b30eb1f0681672571bb734aebd4fad7bf7314159632849a

  • SSDEEP

    12288:wp3W8nlD63T8RxdBEmARYNMZgx0+uk87cIxbeJm5h/+wCpb3/Tpqzuv+ENLn0:wRW8VBpDARYqZ20+ur7hKm5J+Dp/Fku2

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      5fcf51d8f789ac7b52a3a3c8a134663483710fcde461ed101e87708282b673fb

    • Size

      639KB

    • MD5

      fa20ff9c5380516b8755de1b2ab0b15e

    • SHA1

      3ebbea075575853586c51f27e642c79a0b148e87

    • SHA256

      5fcf51d8f789ac7b52a3a3c8a134663483710fcde461ed101e87708282b673fb

    • SHA512

      8fda98c8d33586f2753cb072ddadb0ed7ea83c9e1139c51d348896b164bc7d8f60f25499fd07b8b72b30eb1f0681672571bb734aebd4fad7bf7314159632849a

    • SSDEEP

      12288:wp3W8nlD63T8RxdBEmARYNMZgx0+uk87cIxbeJm5h/+wCpb3/Tpqzuv+ENLn0:wRW8VBpDARYqZ20+ur7hKm5J+Dp/Fku2

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • UAC bypass

    • Windows security bypass

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks