General

  • Target

    PRODUCTS LIST.pdf.exe

  • Size

    620KB

  • Sample

    240619-s6cpdssgrg

  • MD5

    a9cc3ce556bed1f4f023dfb299b54d32

  • SHA1

    61eacf083e3a9fdb55825ecaedcac6596746d3f7

  • SHA256

    e6467422567d07f55c891b1c452dfb2c3c3d24ffa243799c91004cedb8a0dd0c

  • SHA512

    dd446826fe672b9d162f2f18f08cfcc2ffa0e8586498423e27cbbd00737d5e31b0ecc031ec6cb4d416f1547718c8bc10e615815b4525a25fafb07ead0cf4fd32

  • SSDEEP

    12288:+tX62p8VeLrV6/dcfRGwvjTJGGyHwMmgjjhz3vVe0r8N3j7D:uzyKE/dcfgcIzHM+hLvboNT

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      PRODUCTS LIST.pdf.exe

    • Size

      620KB

    • MD5

      a9cc3ce556bed1f4f023dfb299b54d32

    • SHA1

      61eacf083e3a9fdb55825ecaedcac6596746d3f7

    • SHA256

      e6467422567d07f55c891b1c452dfb2c3c3d24ffa243799c91004cedb8a0dd0c

    • SHA512

      dd446826fe672b9d162f2f18f08cfcc2ffa0e8586498423e27cbbd00737d5e31b0ecc031ec6cb4d416f1547718c8bc10e615815b4525a25fafb07ead0cf4fd32

    • SSDEEP

      12288:+tX62p8VeLrV6/dcfRGwvjTJGGyHwMmgjjhz3vVe0r8N3j7D:uzyKE/dcfgcIzHM+hLvboNT

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks