General

  • Target

    f1824617fee9b12404d9c7378ea08c645da6db1726756038577de1413069d002.zip

  • Size

    616KB

  • Sample

    240618-x6t1wsyhqj

  • MD5

    54e76fc58a7a13ef5198b16e86ab73c3

  • SHA1

    bd344b65d9cbc757222ff99b5750eb399b4c6d94

  • SHA256

    f1824617fee9b12404d9c7378ea08c645da6db1726756038577de1413069d002

  • SHA512

    e6b503996e2353239ed9e0ce03c885a6d074bb2d973eb030fa20180c3b9761f8a6de4e856b3062dcaa52227347a4a8a3de6095bef3fceb37ba7bbea4e49096d2

  • SSDEEP

    12288:osVQ6XUoB/iIxFuiJd5vAFXqNWaZtjTr7A3To9Vw+3twdP:oqhNiI+iJdupqNdnrgTwtwdP

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      ORDER060424.exe

    • Size

      649KB

    • MD5

      0c0a41c08e05cc17ec190a8325122ff1

    • SHA1

      d626dadb8389d7d3a2ef8a4d55ea1e93012344df

    • SHA256

      dc2e8a0f43a7ba9dc6ccf14dfda7e6ddd366d137cf774e221b09165ca6b414a8

    • SHA512

      eedf165ebccb8a4c90664a4eaa8389aa7f67fd03035e3e3592dd8ebbcf0c4f67e2cc398ecf5838469721fffce7b511c74f2973632d065fef825ef15acc0ce5de

    • SSDEEP

      12288:Fjgd/iFIsPAb/z/6U66JBBQILFuCJJ5JAl9qv+6Pt71rjzhO0dto9Vy9j+jtIU0Y:9gdkIKybs6J7QI8CJJgXqvdRrPs0dtDg

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks