General

  • Target

    new order (June - 2024).exe

  • Size

    661KB

  • Sample

    240618-qectzaygkk

  • MD5

    c90b8187b8db56562cb03af9d67e61d5

  • SHA1

    0f688b5d1f4d7b024ca0d9a306ffcb273b2fe1df

  • SHA256

    1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1

  • SHA512

    ca943e78deead0c9a954a6eb20ded223e9408b3a457957e56b73c4432aaf06b072a269c8c1bc00d43a4aabe1578f0b18147f074f719239447313ca7db4b05bd1

  • SSDEEP

    12288:0FIsPADvFgvHqtIjdX6UsXvXkkywZCujmt28pip7txWjekR:WIKA2vHcIJFsXvXkkxZCIk286tG

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      new order (June - 2024).exe

    • Size

      661KB

    • MD5

      c90b8187b8db56562cb03af9d67e61d5

    • SHA1

      0f688b5d1f4d7b024ca0d9a306ffcb273b2fe1df

    • SHA256

      1b68fe4f599f20aa70efb528ec45495683877193869eb95cd77119bcac096cd1

    • SHA512

      ca943e78deead0c9a954a6eb20ded223e9408b3a457957e56b73c4432aaf06b072a269c8c1bc00d43a4aabe1578f0b18147f074f719239447313ca7db4b05bd1

    • SSDEEP

      12288:0FIsPADvFgvHqtIjdX6UsXvXkkywZCujmt28pip7txWjekR:WIKA2vHcIJFsXvXkkxZCIk286tG

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks