General

  • Target

    Payment Slip Scan.zip.001

  • Size

    613KB

  • Sample

    240625-nnbxxszfrq

  • MD5

    ca6769b031eda354d8799d61405bf8ba

  • SHA1

    cffd0ea6246b62da50c160734350117adcc5be55

  • SHA256

    2c24902d806183712cd689df503506e5209d1a91afd351e1546a7a3158d75caa

  • SHA512

    20528b287316ae1f5593f7022b4e8ebe1c0d33d50c9ce83c06f3cdcd8a0d93a628a402265cf3c820abe7728b63d808c2ac546947f751e075032c2128d63d63a5

  • SSDEEP

    12288:eJfBwFluMQd65LABwIKpbcoKMc421L8skN/vn+b8GqP3v4Od2:Ofpd65L6oKMct1pOH+4f4Y2

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Payment Slip Scan.exe

    • Size

      662KB

    • MD5

      d9fe0cc1c140fdc9f6baa415296141b4

    • SHA1

      73721cb6750b875fe86c96f3fccfe7e18a2f51ae

    • SHA256

      70342c79a11ed5e15d3a8b82db46eeef5c9917d3c1478ddd369a57fb02fcc6ae

    • SHA512

      9112470be6610837adde3bf3637bf1169435bbd5b0d89f41e04e6690f912b9f6cea2de2e4ce50d97dedcf6c95758ba1e8a94f6a62c50e7ebd9773bf1d951e0ce

    • SSDEEP

      12288:3vRwtNQMQL65hA4NppTwgMEEu2Z7L8skr/vb+hflaYGod:/5L65hAiE7pmHSyYGW

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks