General

  • Target

    REQ-101.rar

  • Size

    588KB

  • Sample

    240619-s45mdssgpe

  • MD5

    b798cd8c8b2b7d3aa8d26c20699507a4

  • SHA1

    c800bf6c50face4303e79bc05f1b1540d22ec8cf

  • SHA256

    e5f1fc1f7264e52ed9bf5e883704f706d310f061deef1f8992e60fee2abf48e3

  • SHA512

    c9a827a54820ea9ce997255e18b04bd28240ff7e9fbc9120f9273a6b327c40cd12ee9b4d4db44b6174cfb9f6328a641cf2bdb4f2632d1ff16d92f8c8500ac386

  • SSDEEP

    12288:GwK8edctZNpH7DDwXxQ7ursuRc3UBY8fKdNIVTiq9A81uSSKAMa:GwedctZL0xQ7urpR1LHVhA832

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      REQ-101.exe

    • Size

      619KB

    • MD5

      54717bd17e89c3a6f5a50dcf44eac950

    • SHA1

      f501915427a67f49e84610bcda2815e1878f42c3

    • SHA256

      16543a3c488ed91a0a0a6c0ae664808f054a6675924826eb2b0174e007fdd1bb

    • SHA512

      b76f2c391b418f238b3c5ab95e91131b4dc483fbad626f53e70e355e9f7d72a3b299d325b3d7930defcede4875307a705d70cc91d6d67ade5aea04a10ce7ec11

    • SSDEEP

      12288:awiwSEb5Oy9jciqU09DZOi4WUi51EUJIkzsfu2WRP89RFkj7D:7jwajp09DZjUiTnIssfuxGb2

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks