General

  • Target

    2023081922.exe

  • Size

    3.4MB

  • Sample

    240619-zgvx1avfnr

  • MD5

    1dbff6c04feb03a07f0b736399753f99

  • SHA1

    d5d7b9b2df21bf15697dc858b65bc326c1baecab

  • SHA256

    c65616850efe2ff94a6e63b3717fd24841e9774b4627dbcc0d3b5837f05f44e0

  • SHA512

    495efc398cb82183d44c1dc56fe782008954fce9f4c75be3808e865bbf2d2278812a87df57636c442675ce28b7bbdee6b6f7499f5b4b8d25708cd3414ced96e1

  • SSDEEP

    12288:1KILJz6L6JXxpJ9lgPBgHtAXl4ejk8S5yAxSgWSMcaQ:Es4L8b3lUgHtQlVFNAcDSMo

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      2023081922.exe

    • Size

      3.4MB

    • MD5

      1dbff6c04feb03a07f0b736399753f99

    • SHA1

      d5d7b9b2df21bf15697dc858b65bc326c1baecab

    • SHA256

      c65616850efe2ff94a6e63b3717fd24841e9774b4627dbcc0d3b5837f05f44e0

    • SHA512

      495efc398cb82183d44c1dc56fe782008954fce9f4c75be3808e865bbf2d2278812a87df57636c442675ce28b7bbdee6b6f7499f5b4b8d25708cd3414ced96e1

    • SSDEEP

      12288:1KILJz6L6JXxpJ9lgPBgHtAXl4ejk8S5yAxSgWSMcaQ:Es4L8b3lUgHtQlVFNAcDSMo

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • UAC bypass

    • Windows security bypass

    • Looks for VirtualBox Guest Additions in registry

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks