General

  • Target

    7cdb0b445f832108ebd3f328e8e1e552.exe

  • Size

    1.6MB

  • Sample

    240619-k5r4pascjr

  • MD5

    7cdb0b445f832108ebd3f328e8e1e552

  • SHA1

    b38dad9f7796db9ceb5214e9bc1412a6e744ddcb

  • SHA256

    545841c0614979992bd1e4da511c9c4564056bdaac05e7ba146a117051555297

  • SHA512

    2f89081d1c029aa53120e86809b17025edf7f35e6dbf88186a678f429fc90175e354bc0ca5bd0ec8d777b02ef7e4b9bee781c79641c492d381bc8072b0dd0523

  • SSDEEP

    12288:6iTjnBxQhBD39BneCVyy7Ahf5ksed3Kt55Zbx5e5Y8lD8/5KwzxD:6YjnYBDneBKofTeds5zbfe53K5LxD

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.pmceg.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    momenmohamed1234@

Targets

    • Target

      7cdb0b445f832108ebd3f328e8e1e552.exe

    • Size

      1.6MB

    • MD5

      7cdb0b445f832108ebd3f328e8e1e552

    • SHA1

      b38dad9f7796db9ceb5214e9bc1412a6e744ddcb

    • SHA256

      545841c0614979992bd1e4da511c9c4564056bdaac05e7ba146a117051555297

    • SHA512

      2f89081d1c029aa53120e86809b17025edf7f35e6dbf88186a678f429fc90175e354bc0ca5bd0ec8d777b02ef7e4b9bee781c79641c492d381bc8072b0dd0523

    • SSDEEP

      12288:6iTjnBxQhBD39BneCVyy7Ahf5ksed3Kt55Zbx5e5Y8lD8/5KwzxD:6YjnYBDneBKofTeds5zbfe53K5LxD

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • UAC bypass

    • Windows security bypass

    • Looks for VirtualBox Guest Additions in registry

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks