General

  • Target

    123.exexxxxxxxx

  • Size

    2.2MB

  • Sample

    240619-gssb5szdln

  • MD5

    7932f6ceafe3ff9a846d76e083c9bdc3

  • SHA1

    586e455bd53f5d16a53c3c639e2c07b0931663c9

  • SHA256

    8118f08c6421a0b84083b59fe557b4035da882d343899149b127f3d1f00ce268

  • SHA512

    99d31a77361277b52f8f6ab66722c17735d2d65e3d41943321fca38e3cc36927a643a1458a4d53975ba8be1c5e06149a80812a4c7d4836fbf4bc5ddddb0effef

  • SSDEEP

    12288:ujqir/lhbePy/bj7+Hg2wk809Kl8Xii/drQ51XJJdGNl0fghrIsiX02Dfy7:uWi/r73Qg2wkP9KlOanX1lCrpiX02Da7

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.ionos.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    T2@Gwt567

Targets

    • Target

      123.exexxxxxxxx

    • Size

      2.2MB

    • MD5

      7932f6ceafe3ff9a846d76e083c9bdc3

    • SHA1

      586e455bd53f5d16a53c3c639e2c07b0931663c9

    • SHA256

      8118f08c6421a0b84083b59fe557b4035da882d343899149b127f3d1f00ce268

    • SHA512

      99d31a77361277b52f8f6ab66722c17735d2d65e3d41943321fca38e3cc36927a643a1458a4d53975ba8be1c5e06149a80812a4c7d4836fbf4bc5ddddb0effef

    • SSDEEP

      12288:ujqir/lhbePy/bj7+Hg2wk809Kl8Xii/drQ51XJJdGNl0fghrIsiX02Dfy7:uWi/r73Qg2wkP9KlOanX1lCrpiX02Da7

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • UAC bypass

    • Windows security bypass

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks