General

  • Target

    PAYMENT COPY.exe

  • Size

    669KB

  • Sample

    240619-gz3fpazdqq

  • MD5

    691f80dee338a81a9361bf0703de663d

  • SHA1

    e053f7d744f1a1cd3496d730d0bba064b10d208f

  • SHA256

    eeb5b5fa4c3d0d74641f2ef155cafeea97632faa05c4d8b952e0ac269e975d99

  • SHA512

    f2a5e93ae22dda30c49119f4194bc8f2a7e3511c186425528de05ab3e6e78e9f1ba11802e6f7a7e7664e98e099031749051b901f52b235f01365b2e54ee66171

  • SSDEEP

    12288:kFIsPAnx8+hZrDQ5mQMdQZ139NvT1VZVziasFtwa1ocl4SeVDjlLUmCkR:mIKc88/Q5MdQZFZVZsNntqJSeVDjZZx

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    webmail.standardengg-works.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    welcomesew42ac

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      PAYMENT COPY.exe

    • Size

      669KB

    • MD5

      691f80dee338a81a9361bf0703de663d

    • SHA1

      e053f7d744f1a1cd3496d730d0bba064b10d208f

    • SHA256

      eeb5b5fa4c3d0d74641f2ef155cafeea97632faa05c4d8b952e0ac269e975d99

    • SHA512

      f2a5e93ae22dda30c49119f4194bc8f2a7e3511c186425528de05ab3e6e78e9f1ba11802e6f7a7e7664e98e099031749051b901f52b235f01365b2e54ee66171

    • SSDEEP

      12288:kFIsPAnx8+hZrDQ5mQMdQZ139NvT1VZVziasFtwa1ocl4SeVDjlLUmCkR:mIKc88/Q5MdQZFZVZsNntqJSeVDjZZx

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks