General

  • Target

    RFQ20230822.IMG

  • Size

    2.2MB

  • Sample

    240617-zww4lsybll

  • MD5

    d9a8fbecc096f4cd0987cf9dfdcbbdc0

  • SHA1

    2d337201994dea760e2e355e93ea13dfcfb14e94

  • SHA256

    2478d47791b452461742e4de526a238c932c6ce97bc3784d2146bc7ff2586e29

  • SHA512

    99bd35449fc1b53b46c27239f85d80ffb5d39d1c0749974bd7949b6f073d8197b83f9ae98985df265d550deb9129b1eae4f8fd970a808350e0a97e66afce1941

  • SSDEEP

    12288:jFFXX423r9llnsa9awWlMNXJPqNqz+ggKj7eI5Z1k:jHXZ3Nsa9aTqlga7eK1

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.pmceg.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    momenmohamed1234@

Targets

    • Target

      2023081922.exe

    • Size

      1.7MB

    • MD5

      509a489d3f27595fbdb7702be4b8c7db

    • SHA1

      82cba1f457e78189386cbdc33502f208806420fb

    • SHA256

      a5e7ecf8cc93b634528604c72f9b9c754800120a422d1ce400b8aafb2692f6f1

    • SHA512

      8dd3342fef0737961396ad99f339e5e07f4ef87bae0c1e9ede628d2e7dab9944c55f654471cea2728923b4181a8cafd5a507b779b5aedf8c6711df1f3ff1f82c

    • SSDEEP

      12288:oFFXX423r9llnsa9awWlMNXJPqNqz+ggKj7eI5Z1kD:oHXZ3Nsa9aTqlga7eK1s

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • UAC bypass

    • Windows security bypass

    • Looks for VirtualBox Guest Additions in registry

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks