General
-
Target
7f7219150a44e397a72f82fe9c4232887e991f0b3f0469c29d5cd2b8e3f3d0a7.exe
-
Size
663KB
-
Sample
240912-b6bnnavcqn
-
MD5
0d3d3b303fc31bc895e2de16e3698af0
-
SHA1
310228a508b4447134225ab927c2e08d53f81cb7
-
SHA256
7f7219150a44e397a72f82fe9c4232887e991f0b3f0469c29d5cd2b8e3f3d0a7
-
SHA512
937de4d7736555c1a7d1cb851bd474b4bfc7ad9e9b7688862d1c7585d0af26aaf69adddf9027180c9f6a069fa8960e119370dbf7d8ecb7a1b339892f1b6b7817
-
SSDEEP
12288:oz7kvDoQ39JTROww+2bD+gdsDlJUUVuDBmsgBNy4Vs2HicLBt7v:ozoww/MLUcDG7Z
Static task
static1
Behavioral task
behavioral1
Sample
7f7219150a44e397a72f82fe9c4232887e991f0b3f0469c29d5cd2b8e3f3d0a7.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
7f7219150a44e397a72f82fe9c4232887e991f0b3f0469c29d5cd2b8e3f3d0a7.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://beirutrest.com - Port:
21 - Username:
[email protected] - Password:
9yXQ39wz(uL+
Extracted
Protocol: ftp- Host:
beirutrest.com - Port:
21 - Username:
[email protected] - Password:
9yXQ39wz(uL+
Targets
-
-
Target
7f7219150a44e397a72f82fe9c4232887e991f0b3f0469c29d5cd2b8e3f3d0a7.exe
-
Size
663KB
-
MD5
0d3d3b303fc31bc895e2de16e3698af0
-
SHA1
310228a508b4447134225ab927c2e08d53f81cb7
-
SHA256
7f7219150a44e397a72f82fe9c4232887e991f0b3f0469c29d5cd2b8e3f3d0a7
-
SHA512
937de4d7736555c1a7d1cb851bd474b4bfc7ad9e9b7688862d1c7585d0af26aaf69adddf9027180c9f6a069fa8960e119370dbf7d8ecb7a1b339892f1b6b7817
-
SSDEEP
12288:oz7kvDoQ39JTROww+2bD+gdsDlJUUVuDBmsgBNy4Vs2HicLBt7v:ozoww/MLUcDG7Z
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1