General

  • Target

    9d0d641072e19a15513008b8e7fc98d9b866be80e3a2ae2a5ab622b498a1e4c9

  • Size

    752KB

  • Sample

    240612-cmagxsydqg

  • MD5

    47dc4f629841e718c7ea7a4b8918833d

  • SHA1

    ab05ea754d14c6cf388db5d0d43fbed34173e4e4

  • SHA256

    9d0d641072e19a15513008b8e7fc98d9b866be80e3a2ae2a5ab622b498a1e4c9

  • SHA512

    a66e940e99316b1b5ddc09aa815d6ae7830c1fbae417072597b8edf4f9364e79d26e80229b4f55c54cba4f87d7c36cf962b31fbb8793441c369a3d0e302fe29f

  • SSDEEP

    12288:JZS5+GcGUskvFq7aYD7AAFV3CTLcLmAB/4mF60r2rACR5leZlNa:JZSjcGh8qOCEg3CsyABAU606A+erk

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      9d0d641072e19a15513008b8e7fc98d9b866be80e3a2ae2a5ab622b498a1e4c9

    • Size

      752KB

    • MD5

      47dc4f629841e718c7ea7a4b8918833d

    • SHA1

      ab05ea754d14c6cf388db5d0d43fbed34173e4e4

    • SHA256

      9d0d641072e19a15513008b8e7fc98d9b866be80e3a2ae2a5ab622b498a1e4c9

    • SHA512

      a66e940e99316b1b5ddc09aa815d6ae7830c1fbae417072597b8edf4f9364e79d26e80229b4f55c54cba4f87d7c36cf962b31fbb8793441c369a3d0e302fe29f

    • SSDEEP

      12288:JZS5+GcGUskvFq7aYD7AAFV3CTLcLmAB/4mF60r2rACR5leZlNa:JZSjcGh8qOCEg3CsyABAU606A+erk

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks