General

  • Target

    Dhl_waybill#.exe

  • Size

    735KB

  • Sample

    240612-hd2spsshqe

  • MD5

    c07a5aae78c4449dd4164943d5650bf7

  • SHA1

    33ae22edec0b49a4735061d52b1730d1447fb420

  • SHA256

    af6694d1a51a60d7bf11ca63a9af3e749c122490ab8f620921b73f89eb1d9123

  • SHA512

    6cf227539b64ccc37d99bf36982bc96087be17996b0892d31f6392a98859951c2754ef3dcee9f72efa77d1c4347cc06115f700a4cfad38648dbc4332aec57423

  • SSDEEP

    12288:t7dXtfETH6ViiCLEdd1fS+PDoKX85hTLRAy9amFdJ0kENV:pd92H6Vlj1fS+Unxf70j

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Dhl_waybill#.exe

    • Size

      735KB

    • MD5

      c07a5aae78c4449dd4164943d5650bf7

    • SHA1

      33ae22edec0b49a4735061d52b1730d1447fb420

    • SHA256

      af6694d1a51a60d7bf11ca63a9af3e749c122490ab8f620921b73f89eb1d9123

    • SHA512

      6cf227539b64ccc37d99bf36982bc96087be17996b0892d31f6392a98859951c2754ef3dcee9f72efa77d1c4347cc06115f700a4cfad38648dbc4332aec57423

    • SSDEEP

      12288:t7dXtfETH6ViiCLEdd1fS+PDoKX85hTLRAy9amFdJ0kENV:pd92H6Vlj1fS+Unxf70j

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks