General

  • Target

    Bill of Ladden,Invoice & Packing List.exe

  • Size

    692KB

  • Sample

    240617-v49mfsxelg

  • MD5

    3abca3d01e518e48b9d575b2bbdc65c8

  • SHA1

    85d9b7354ac39e47fdd2abb42989ca128c45315d

  • SHA256

    3bab8fe003450bf70cd9ec8c2b92d042d92167da4942046f104f6b3139663a96

  • SHA512

    a7cc95fd098df66fa96e04941e032927a5b088f74865f501bf476095e8b236775e4818f2b70c7d4dfadae4e9d1fde7c9c5e836bfcc5839a20c6a5f2212a8a05c

  • SSDEEP

    12288:uKByCK2xrOoyepvItIvwJq1kugH+s++zfq0HNqbR1FjOgpkR:LByC5yoapsubQ+f3tM1q

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Bill of Ladden,Invoice & Packing List.exe

    • Size

      692KB

    • MD5

      3abca3d01e518e48b9d575b2bbdc65c8

    • SHA1

      85d9b7354ac39e47fdd2abb42989ca128c45315d

    • SHA256

      3bab8fe003450bf70cd9ec8c2b92d042d92167da4942046f104f6b3139663a96

    • SHA512

      a7cc95fd098df66fa96e04941e032927a5b088f74865f501bf476095e8b236775e4818f2b70c7d4dfadae4e9d1fde7c9c5e836bfcc5839a20c6a5f2212a8a05c

    • SSDEEP

      12288:uKByCK2xrOoyepvItIvwJq1kugH+s++zfq0HNqbR1FjOgpkR:LByC5yoapsubQ+f3tM1q

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks