General

  • Target

    DHL Package Documents clearance.exe

  • Size

    690KB

  • Sample

    240617-sf6vjsyemm

  • MD5

    06f29001ddc852a2880b8ece673ff24c

  • SHA1

    f80a254ba85b9531da05c74a12a8235ef8a359a1

  • SHA256

    87c68756481a2bbd821e8ac224087c5626ffdc1e05eaaeff506bb0b5148bba0b

  • SHA512

    95020cd917b98919d3960090209bbd754739cc247ffd0497cbf0edd0142ab7c86d668f6617b9f47c8e375dc323508bb42d38fe2c44eca4b56524835e0b40527b

  • SSDEEP

    12288:D2iNvFIsPAYDDNvkm7TuIQvQatxuJlV3D677qZAu+IPlatsXqdcW:D1DIK7DNvj7TuIQY3X3e7uZAuExdc

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      DHL Package Documents clearance.exe

    • Size

      690KB

    • MD5

      06f29001ddc852a2880b8ece673ff24c

    • SHA1

      f80a254ba85b9531da05c74a12a8235ef8a359a1

    • SHA256

      87c68756481a2bbd821e8ac224087c5626ffdc1e05eaaeff506bb0b5148bba0b

    • SHA512

      95020cd917b98919d3960090209bbd754739cc247ffd0497cbf0edd0142ab7c86d668f6617b9f47c8e375dc323508bb42d38fe2c44eca4b56524835e0b40527b

    • SSDEEP

      12288:D2iNvFIsPAYDDNvkm7TuIQvQatxuJlV3D677qZAu+IPlatsXqdcW:D1DIK7DNvj7TuIQY3X3e7uZAuExdc

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks