General

  • Target

    Swift Copy TT USD14037800.PDF.exe

  • Size

    1.1MB

  • Sample

    240618-qz8r5swcna

  • MD5

    2df6b68d7182275e8ae2f5491b6ffb75

  • SHA1

    808470d278270fe91b73338c89ba4e22f5f7db0f

  • SHA256

    383d0f4cc036007f1c717e49856a3e0cf8bfe511673c291f568a2930f0993778

  • SHA512

    fbfdd017c56d3ae701c1717a82e81e83b2f3ed3fa091a2f6885d8e0c75bf5ca833150c477862ebada80bebf94a7cd10acd0f24c15ac89ffc75fb2c43d5edc295

  • SSDEEP

    24576:rAHnh+eWsN3skA4RV1Hom2KXMmHaQHzK8WkU2NHC5:Gh+ZkldoPK8YaQHzK8e2NY

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Swift Copy TT USD14037800.PDF.exe

    • Size

      1.1MB

    • MD5

      2df6b68d7182275e8ae2f5491b6ffb75

    • SHA1

      808470d278270fe91b73338c89ba4e22f5f7db0f

    • SHA256

      383d0f4cc036007f1c717e49856a3e0cf8bfe511673c291f568a2930f0993778

    • SHA512

      fbfdd017c56d3ae701c1717a82e81e83b2f3ed3fa091a2f6885d8e0c75bf5ca833150c477862ebada80bebf94a7cd10acd0f24c15ac89ffc75fb2c43d5edc295

    • SSDEEP

      24576:rAHnh+eWsN3skA4RV1Hom2KXMmHaQHzK8WkU2NHC5:Gh+ZkldoPK8YaQHzK8e2NY

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks