General

  • Target

    PO#0094321.zip

  • Size

    645KB

  • Sample

    240618-qkhbmsveqb

  • MD5

    359bb9ec46a991616d8baf76c843e1f1

  • SHA1

    60485b798ab85adfd006c9f9c118038f1c2f67b9

  • SHA256

    6e545f6e39c133d39164a73673e2d29b03897a3ba35fd5fac135077f64d81398

  • SHA512

    68a91576aa496a02e094f76c0ad4c8fbad2f0cde831d0e86c160ffd2627d97677d9ca7e157e029a2cb9fdd7b4d938b4b8192d799efa302373b2080d0af3d88d6

  • SSDEEP

    12288:gwZsf8VhxQUapEndCIrlZlcWJ6cYwGlftU7+c91wQcLbuFz4Tw0FFtO1mj:pgIrlZlCTlftUzQ+Fww0npj

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      PO#0094321.exe

    • Size

      689KB

    • MD5

      e938208917aa519c849d75e33c77214f

    • SHA1

      ab4a3013de343543309fd80e593ae1e66d4da166

    • SHA256

      75ae08a3551577bab675fa1b9263e6eb6173be749864b0b073ed535cf57597b9

    • SHA512

      599562228352a9138f2f9b7131f415739ce75668d8067abd14d8c5edad6329cc716fc848b678d418e99a69491a949d8d571b990e84855bfbfca8f2c27d3e5258

    • SSDEEP

      12288:t2iNvFIsPAdbMybkIrlZlI/5+cYH2ViL+x8LEvHCqQwQqPbuFz1ycHshxk:t1DIKabOIrlZlu+cViyx8L0H5KFoqg

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks