General

  • Target

    AWB#5305323204643.scr.exe

  • Size

    1.1MB

  • Sample

    240617-qv8xcataka

  • MD5

    87eb4ab4033081b7f43d983be380eaaf

  • SHA1

    7417d9006b798ebdf722a5372b885de86fcc73ff

  • SHA256

    845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce

  • SHA512

    89e83526479df625c9e5e73108ec7c37c2573409de8c85c3a09e3b9984d8cb8a515b88d6fff89a2ccbf45a19da8f246a926d744e9797e5bf6e77e7dbb312a291

  • SSDEEP

    24576:vCMd92C77NeTxXQo72s3cz1QGsbdnRHj:vld92eeTxAj9QtZn

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      AWB#5305323204643.scr.exe

    • Size

      1.1MB

    • MD5

      87eb4ab4033081b7f43d983be380eaaf

    • SHA1

      7417d9006b798ebdf722a5372b885de86fcc73ff

    • SHA256

      845261d1133cf6d21dc2b756bff6282285739c4856582fc369ad4f688e128dce

    • SHA512

      89e83526479df625c9e5e73108ec7c37c2573409de8c85c3a09e3b9984d8cb8a515b88d6fff89a2ccbf45a19da8f246a926d744e9797e5bf6e77e7dbb312a291

    • SSDEEP

      24576:vCMd92C77NeTxXQo72s3cz1QGsbdnRHj:vld92eeTxAj9QtZn

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks