General
-
Target
RFQ20230822.IMG
-
Size
2.2MB
-
Sample
240617-zww4lsybll
-
MD5
d9a8fbecc096f4cd0987cf9dfdcbbdc0
-
SHA1
2d337201994dea760e2e355e93ea13dfcfb14e94
-
SHA256
2478d47791b452461742e4de526a238c932c6ce97bc3784d2146bc7ff2586e29
-
SHA512
99bd35449fc1b53b46c27239f85d80ffb5d39d1c0749974bd7949b6f073d8197b83f9ae98985df265d550deb9129b1eae4f8fd970a808350e0a97e66afce1941
-
SSDEEP
12288:jFFXX423r9llnsa9awWlMNXJPqNqz+ggKj7eI5Z1k:jHXZ3Nsa9aTqlga7eK1
Static task
static1
Behavioral task
behavioral1
Sample
2023081922.exe
Resource
win7-20240508-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.pmceg.com - Port:
587 - Username:
[email protected] - Password:
momenmohamed1234@ - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.pmceg.com - Port:
587 - Username:
[email protected] - Password:
momenmohamed1234@
Targets
-
-
Target
2023081922.exe
-
Size
1.7MB
-
MD5
509a489d3f27595fbdb7702be4b8c7db
-
SHA1
82cba1f457e78189386cbdc33502f208806420fb
-
SHA256
a5e7ecf8cc93b634528604c72f9b9c754800120a422d1ce400b8aafb2692f6f1
-
SHA512
8dd3342fef0737961396ad99f339e5e07f4ef87bae0c1e9ede628d2e7dab9944c55f654471cea2728923b4181a8cafd5a507b779b5aedf8c6711df1f3ff1f82c
-
SSDEEP
12288:oFFXX423r9llnsa9awWlMNXJPqNqz+ggKj7eI5Z1kD:oHXZ3Nsa9aTqlga7eK1s
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks for VirtualBox Guest Additions in registry
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Virtualization/Sandbox Evasion
2