General

  • Target

    rRFQ_TSL104_20221024_pdf.exe

  • Size

    2.9MB

  • Sample

    240618-zvfegawflf

  • MD5

    edef0d2515fc3452e4175b3d223a5f90

  • SHA1

    60342fb0ee1a34ecc2e3430f0f62aaa69a6e1a57

  • SHA256

    86744ad357edc64f956c3a8df9c8bd852ae125189e80652703dc5624a97584a6

  • SHA512

    3d7974953aadd7e33dceca2cb405de1632956501e623d61e30a270cac6a249030873a3d4cb6db282fa9acfe497e23ea35f9a0ea8d1437a3e250622b93681b3a1

  • SSDEEP

    12288:VYXxEe0uZOuUTwUqdkvub/jBLLlB3xYyWtORM0rTKAnYMlvs3iZDjNFGjM9D:qRNuXOhRvLxYyuwRrT5nYqvs4DWiD

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7261799157:AAHbEGrAXqYSY7AMfUzmzD3U1FgkRxHSXws/

Targets

    • Target

      rRFQ_TSL104_20221024_pdf.exe

    • Size

      2.9MB

    • MD5

      edef0d2515fc3452e4175b3d223a5f90

    • SHA1

      60342fb0ee1a34ecc2e3430f0f62aaa69a6e1a57

    • SHA256

      86744ad357edc64f956c3a8df9c8bd852ae125189e80652703dc5624a97584a6

    • SHA512

      3d7974953aadd7e33dceca2cb405de1632956501e623d61e30a270cac6a249030873a3d4cb6db282fa9acfe497e23ea35f9a0ea8d1437a3e250622b93681b3a1

    • SSDEEP

      12288:VYXxEe0uZOuUTwUqdkvub/jBLLlB3xYyWtORM0rTKAnYMlvs3iZDjNFGjM9D:qRNuXOhRvLxYyuwRrT5nYqvs4DWiD

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • UAC bypass

    • Windows security bypass

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks