General

  • Target

    shipping documents.zip

  • Size

    683KB

  • Sample

    240618-hh3kss1fqe

  • MD5

    98b7a0ed9bb2dab5a83d2b397494caf4

  • SHA1

    feab4164ade554914c480f9fd80cc32b0c310a83

  • SHA256

    eebeef371d295088e2f2377f18a95c290de5f77cf0a50cf3e74d10d219c3a841

  • SHA512

    981a55c3577970b0bd354ea3079383ab8d723235b0f0b1321b79b66aebe4ffbb19fb217c63fcaeabe2d054ea843acb34c46833ee9bbbd6839c7d6452d18b01cd

  • SSDEEP

    12288:nSwRvfTx4hh/Ta4SNelKclmy7DLTawfov7G2SLCk61rOjxyQjxgQp:vRvfTx4hh/VSNkdeGwz1IywxD

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      shipping documents.exe

    • Size

      731KB

    • MD5

      487581e26f44dc342b13f83a424a7d0b

    • SHA1

      f63e3fdfa598322bd2ededb12a2c272182824990

    • SHA256

      553e372ef331a9891f8cada32625bd6491cbd427f1a2a6ad62cd1472ec3f23a0

    • SHA512

      9e903d9be418a8d024b566bf06d28a300bf15f3fa042a4a8ebe7b8e186a8cb50ad19e5a892e5137dccc05fac4b7eabf6236592b6efcea045d68ad1988c03a99a

    • SSDEEP

      12288:UPU2iNPyCK2xrOo2BakSVelkYawUlrc/6t2SLck6en6Oj0KlhKAgLEwkR:L15yC5ESVkRallVGzgfkAX

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks