General

  • Target

    REQ-102.rar

  • Size

    588KB

  • Sample

    240619-s49lcaxenr

  • MD5

    bac7dcfc4f1a2ab011cf5e7bb7f25d47

  • SHA1

    113b9ebf38182ab007d71638ac283f0419cd15c3

  • SHA256

    dd82066c688d81cd40cd1e83b7c174a0f1f78fc27d7f20d0d8ee5c27899bc30d

  • SHA512

    a3d5f8bb32de6a3dc42f5611735d5b1f52f86598db6f170201a4c17ab6c2af7d99c72709bcd250e6534411bbe0736541c5cfdf94953c86e026e96595351ecdbc

  • SSDEEP

    12288:gwK8edctZNpH7DDwXxQ7ursuRc3UBY8fKdNIVTiq9A81uSSKAMc:gwedctZL0xQ7urpR1LHVhA83I

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      REQ-102.exe

    • Size

      619KB

    • MD5

      54717bd17e89c3a6f5a50dcf44eac950

    • SHA1

      f501915427a67f49e84610bcda2815e1878f42c3

    • SHA256

      16543a3c488ed91a0a0a6c0ae664808f054a6675924826eb2b0174e007fdd1bb

    • SHA512

      b76f2c391b418f238b3c5ab95e91131b4dc483fbad626f53e70e355e9f7d72a3b299d325b3d7930defcede4875307a705d70cc91d6d67ade5aea04a10ce7ec11

    • SSDEEP

      12288:awiwSEb5Oy9jciqU09DZOi4WUi51EUJIkzsfu2WRP89RFkj7D:7jwajp09DZjUiTnIssfuxGb2

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks