General

  • Target

    purechaseorder2.exe

  • Size

    690KB

  • Sample

    240617-p4pdmawapk

  • MD5

    a69c139c6390c639ddd83f5c8e006788

  • SHA1

    46521b93f8ddb4a94d0b8cfd9c41d44a4c72d4e3

  • SHA256

    be6539fe8ddc73844ee2868d75eaffc895b235be6410e9533cef0e08eeb7ba8d

  • SHA512

    0f712d6ba46f9c7ace62fc21ccdba9235d8595d207af91e0e2857f5ee073b322c9367318b5b8c1191e174e09ee4e0cc997b5c15485c998068ef319ddcafd2599

  • SSDEEP

    12288:b2iNvFIsPAT1k5nUY2LCV5jgnSustlR3MjHAXAbO7wxwDFJS8uQu+y:b1DIKc1kb2LCCS3tnMQAI/py

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      purechaseorder2.exe

    • Size

      690KB

    • MD5

      a69c139c6390c639ddd83f5c8e006788

    • SHA1

      46521b93f8ddb4a94d0b8cfd9c41d44a4c72d4e3

    • SHA256

      be6539fe8ddc73844ee2868d75eaffc895b235be6410e9533cef0e08eeb7ba8d

    • SHA512

      0f712d6ba46f9c7ace62fc21ccdba9235d8595d207af91e0e2857f5ee073b322c9367318b5b8c1191e174e09ee4e0cc997b5c15485c998068ef319ddcafd2599

    • SSDEEP

      12288:b2iNvFIsPAT1k5nUY2LCV5jgnSustlR3MjHAXAbO7wxwDFJS8uQu+y:b1DIKc1kb2LCCS3tnMQAI/py

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks