General
-
Target
DHL-INVOICE-00660840.bat
-
Size
2.9MB
-
Sample
240625-kr7bfszcqh
-
MD5
9298a0798f02a770a07f48b0832f6b90
-
SHA1
7534c18ea1f2df754b88f1d648b6f9ac8c0d2bd9
-
SHA256
9c21ee0f98ba8ff396a2c3058b20209fc1e71f79b2614dc073c6ebe310a47181
-
SHA512
029cb130e8ba7499e5949d23ec3ff51626a8a5308eb03febe174e5418ce19e5210be99f782b5bea230683f3c771c5a86bffdb4b93d8a355256d8cd9e268dd4e7
-
SSDEEP
49152:DxmazrQynYIB6FiDvDl57InBK2zX1CVWRxK4cr/oD:6
Static task
static1
Behavioral task
behavioral1
Sample
DHL-INVOICE-00660840.bat
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
DHL-INVOICE-00660840.bat
Resource
win10v2004-20240508-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.keeptraveling-eg.com - Port:
587 - Username:
[email protected] - Password:
Do76#Zbbdonia - Email To:
[email protected]
Targets
-
-
Target
DHL-INVOICE-00660840.bat
-
Size
2.9MB
-
MD5
9298a0798f02a770a07f48b0832f6b90
-
SHA1
7534c18ea1f2df754b88f1d648b6f9ac8c0d2bd9
-
SHA256
9c21ee0f98ba8ff396a2c3058b20209fc1e71f79b2614dc073c6ebe310a47181
-
SHA512
029cb130e8ba7499e5949d23ec3ff51626a8a5308eb03febe174e5418ce19e5210be99f782b5bea230683f3c771c5a86bffdb4b93d8a355256d8cd9e268dd4e7
-
SSDEEP
49152:DxmazrQynYIB6FiDvDl57InBK2zX1CVWRxK4cr/oD:6
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1