General

  • Target

    18062024_1310_17062024_freight invoice.tar

  • Size

    1009KB

  • Sample

    240618-qemdeavdka

  • MD5

    6cb3ce923fe07273d1a9b22896505e48

  • SHA1

    cb47ef88893393159966f0d6e5944dd782cadc40

  • SHA256

    d7bdba7ce0bc8bd862baf4cea319ef83a4c631e57da16ac41cef4a11a4fd751e

  • SHA512

    38bd289fe3022ef9a1249ea1d14351523948ee6636126efe7aabcb2f11ba3bf8c688d35915dfb5630bec95a7c8ef26daf93efe55e86861ead4ea90c5d9580e6b

  • SSDEEP

    12288:rTFIsPAaY5QH3xbiSlaMkzE10MKzOzvMJ+EMMuDEzcmFEmm7I3sL4ZNKmobj:NIKsSBbLaMtUzOCPJzNm7IcL4bKHj

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      freight invoice.exe

    • Size

      1007KB

    • MD5

      ad2b14ed6077cddcb6fe7caa1b4fc6bb

    • SHA1

      e1df5697ba2b1d38f23c242c85873f4b9ae98c57

    • SHA256

      44f99d24049bdd928b66782697112d31e45c2de51a515fdd6298e5a57f4eab35

    • SHA512

      f8b66bc86dbff4f1765f76a65d1c4b1572fcdd5c2dcaa1a7f2e084378e4e34a0100580134c8a039d9c53c52f7e0a3af95ea4849678e86269a002fd7d41fa7a6a

    • SSDEEP

      12288:/TFIsPAaY5QH3xbiSlaMkzE10MKzOzvMJ+EMMuDEzcmFEmm7I3sL4ZNKmobj:JIKsSBbLaMtUzOCPJzNm7IcL4bKHj

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks