General
-
Target
b719c3d29b56e4c8bd56630d412a7836dbf7dbfc836d8d117133c0a6a7386448
-
Size
612KB
-
Sample
240619-bdvk3avekl
-
MD5
c13361acb02f643eed386b5babe83fee
-
SHA1
1e6a35f6ec1f4d89b7e5747d398ffb362c7adf7f
-
SHA256
b719c3d29b56e4c8bd56630d412a7836dbf7dbfc836d8d117133c0a6a7386448
-
SHA512
d53d76581e06d244e119310888141d62434c430c741aaec2aea476a36b6dd4d3668ddcf2c9d9ab236484cfb45fd1eefb9abcade757a7e51141b25571e960e55f
-
SSDEEP
12288:hhb8vz/s7AHVFVRJES8sGyQa+HheTds/Ve2SnSvnNKsoGd:b8v7s8FHEvyQaKepu+nYNKM
Static task
static1
Behavioral task
behavioral1
Sample
order .exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
order .exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.pishgamsanaat.com - Port:
587 - Username:
[email protected] - Password:
Pishgam123456 - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.pishgamsanaat.com - Port:
587 - Username:
[email protected] - Password:
Pishgam123456
Targets
-
-
Target
order .exe
-
Size
3.0MB
-
MD5
cf915d0133f110684b2bed7be93200da
-
SHA1
106c7d2ed3bffb26fc614664d4fa6f41ea761a1b
-
SHA256
f2199b5af4d4dba3bec535acbb4fadde6145ddc841dc13ee4a9aad7d3db63ff1
-
SHA512
d0b0b866c8429cd87960da8eae1eaee69842bed7911e7ccc65ebc26b9879a794ac2306e950477cb17df5b4e6491c3a111c5e59fd06d00d44dd3684a4cf9aca21
-
SSDEEP
12288:GUIAvR1A7yLrFfxNES8sGaQK+bd8bdsZfe241QvNBKgKcC:hIAvHA2lvERaQKa8xws1aHKL
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5