General

  • Target

    XIN LIAN OCEAN - 12th hire.rar

  • Size

    588KB

  • Sample

    240619-ssmbnsxdjp

  • MD5

    45c720a2b4f28b52c5db6f7582eaf0ac

  • SHA1

    749e563bb983ef96087f2597423b971cc012bc22

  • SHA256

    a4c04980defc06c392ab44b4a1a6ec33bed85edefdaa4ddf9b0fcb2d37587e3d

  • SHA512

    c9a4265f332833258619c5043bd8b17db539d3e048353b7d28b2b8b41c31de090c7f64798e837b93abee46d3b0e9395d11d53c584ff96a078d3162b6d8b7dbc5

  • SSDEEP

    12288:BwK8edctZNpH7DDwXxQ7ursuRc3UBY8fKdNIVTiq9A81uSSKAM4:BwedctZL0xQ7urpR1LHVhA83k

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      XIN LIAN OCEAN - 12th hire.exe

    • Size

      619KB

    • MD5

      54717bd17e89c3a6f5a50dcf44eac950

    • SHA1

      f501915427a67f49e84610bcda2815e1878f42c3

    • SHA256

      16543a3c488ed91a0a0a6c0ae664808f054a6675924826eb2b0174e007fdd1bb

    • SHA512

      b76f2c391b418f238b3c5ab95e91131b4dc483fbad626f53e70e355e9f7d72a3b299d325b3d7930defcede4875307a705d70cc91d6d67ade5aea04a10ce7ec11

    • SSDEEP

      12288:awiwSEb5Oy9jciqU09DZOi4WUi51EUJIkzsfu2WRP89RFkj7D:7jwajp09DZjUiTnIssfuxGb2

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks