General

  • Target

    56e4771d6a42e653929f16fa2be4ed10a4e0bb17db3637553f35df2ebaf30a6a

  • Size

    653KB

  • Sample

    240619-cvg7qssbrb

  • MD5

    c14daff3857bb91d3f0c3fce7265f4db

  • SHA1

    58107e04628efdafcfd0f72f75f9993ad855337b

  • SHA256

    56e4771d6a42e653929f16fa2be4ed10a4e0bb17db3637553f35df2ebaf30a6a

  • SHA512

    5c73b1fcdcdbb21150fa22211b2caaff9555fa5c432d1b037cd6fb45e00a6c30cad044687ee298b1bbe26a8906b8115ba09ae9e4cbdfd1324f4c13500aaa8832

  • SSDEEP

    12288:1FIsPA/Sf+RAcc0cZVimmNO94fBF3jwJ9/w9DObdwsm:rIKaSf+RAf0WSOWfXu/w9Kws

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      56e4771d6a42e653929f16fa2be4ed10a4e0bb17db3637553f35df2ebaf30a6a

    • Size

      653KB

    • MD5

      c14daff3857bb91d3f0c3fce7265f4db

    • SHA1

      58107e04628efdafcfd0f72f75f9993ad855337b

    • SHA256

      56e4771d6a42e653929f16fa2be4ed10a4e0bb17db3637553f35df2ebaf30a6a

    • SHA512

      5c73b1fcdcdbb21150fa22211b2caaff9555fa5c432d1b037cd6fb45e00a6c30cad044687ee298b1bbe26a8906b8115ba09ae9e4cbdfd1324f4c13500aaa8832

    • SSDEEP

      12288:1FIsPA/Sf+RAcc0cZVimmNO94fBF3jwJ9/w9DObdwsm:rIKaSf+RAf0WSOWfXu/w9Kws

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks