General
-
Target
0aff1f5d1c986c4f3b34b74bdbb85120N.exe
-
Size
684KB
-
Sample
240727-14fx2avape
-
MD5
0aff1f5d1c986c4f3b34b74bdbb85120
-
SHA1
17437a4292202c75c97dab9d94a4c96e65962e9d
-
SHA256
ce03dc1eef05c8688d097bca608fab8aa4707f5eb98a40bd52da017ef834926d
-
SHA512
4ed37c167623d4f269a77d64cefe499bfa2f9b6ecc9f5644bb9f2a72c10f3cecfa470211c7e6c96c385bb36f3967396803953c1927a55fa315f2fdec2486d4ab
-
SSDEEP
12288:Dd2iNeSY+aZrwrAqiYKISbLRWjPRJi8I88KMB2BDDWFqPAz1GWqGb5i:B14/4rS/pRUPRA8IrKMBCDoz1GWqGb
Static task
static1
Behavioral task
behavioral1
Sample
0aff1f5d1c986c4f3b34b74bdbb85120N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
0aff1f5d1c986c4f3b34b74bdbb85120N.exe
Resource
win10v2004-20240709-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.grupomorales.mx - Port:
587 - Username:
[email protected] - Password:
!%J8}*dhpT{{ - Email To:
[email protected]
Targets
-
-
Target
0aff1f5d1c986c4f3b34b74bdbb85120N.exe
-
Size
684KB
-
MD5
0aff1f5d1c986c4f3b34b74bdbb85120
-
SHA1
17437a4292202c75c97dab9d94a4c96e65962e9d
-
SHA256
ce03dc1eef05c8688d097bca608fab8aa4707f5eb98a40bd52da017ef834926d
-
SHA512
4ed37c167623d4f269a77d64cefe499bfa2f9b6ecc9f5644bb9f2a72c10f3cecfa470211c7e6c96c385bb36f3967396803953c1927a55fa315f2fdec2486d4ab
-
SSDEEP
12288:Dd2iNeSY+aZrwrAqiYKISbLRWjPRJi8I88KMB2BDDWFqPAz1GWqGb5i:B14/4rS/pRUPRA8IrKMBCDoz1GWqGb
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2