General

  • Target

    ORDER060424.zip

  • Size

    659KB

  • Sample

    240612-gvxdwasfjj

  • MD5

    c5aa5f758a101b273f183357c43662e1

  • SHA1

    d772f5e277a8dea76b4bdb3668cfa948fc4f8f2e

  • SHA256

    f0b62283b523283224e9dd766ea92f4150e23bec6839b260547446a5ba183852

  • SHA512

    0ef21d191350648a87eeaa864ab8a7406e26a40c387d004dede9a61cc16dec80d72d3b930baf89d08a78afe615fad94dc73a2b09ac9552d444ccc39dd2d2bea4

  • SSDEEP

    12288:NOn/tGMfvqapLFcNf3XtBxlI3oyySeilBtay0SxS1Zskmf/yBTZgo9w:8lGSvqapLFcd33PyYSeilBqSA1akc/se

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      ORDER060424.exe

    • Size

      749KB

    • MD5

      e25710d9677226ae6906c196b940240b

    • SHA1

      91afe48137e3fe0658d931042bc935e3cc7a31dc

    • SHA256

      4945386dd90b6b092bd13414fe19d0a296ce17f0822632a6b6567252f692cef5

    • SHA512

      86f867250db2d0ca959ff1126d02fa48bfef0f2ae1809bec482e6484c5d8a20073e9922322c50d36c566c31bb6b6fcad19357de5b1f0f7e56100d51cc43913f3

    • SSDEEP

      12288:YQdXtfETzvqwVlfEvf3xCotBH1G3Xae8lBti30S/S1jdAuJkR:Zd92zvqwVlfEH3x/VAKe8lBokSa1xAD

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks