General
-
Target
0aa49257b08dd56e17e93004ed283074b0a7e7c86c104ec6f4d01d0e69f9b6f2.rar
-
Size
590KB
-
Sample
240914-bgfajsyern
-
MD5
410ca33c5536a7fc3593cd8b8be20b98
-
SHA1
5494044130980d52e5309ca298c4985ef1aab9e9
-
SHA256
0aa49257b08dd56e17e93004ed283074b0a7e7c86c104ec6f4d01d0e69f9b6f2
-
SHA512
2c05b176be7841c03461297176bf0b9f654cdc357cf93a6e1437b0ee3c79ee52acee85c0c81476ba19daea722acd15c4ea2711b3e8ba5a6711efd7d9bb51096c
-
SSDEEP
12288:XYb+m4Isui/R8zzfBdM/okhdcMHk0szstV3Ne+Zfp/QRgI:XYb+m4+i/RkzBqP3RsQtV9xVKWI
Static task
static1
Behavioral task
behavioral1
Sample
MV TBN CALL PORT FOR LOADING COAL_pdf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
MV TBN CALL PORT FOR LOADING COAL_pdf.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://cash4cars.nz - Port:
21 - Username:
[email protected] - Password:
-[([pqM~nGA4
Targets
-
-
Target
MV TBN CALL PORT FOR LOADING COAL_pdf.exe
-
Size
641KB
-
MD5
2546f92a54b6f32407cb0d86c91b330c
-
SHA1
3b2eeddcae26a3efbb431fc4863e4765ff556392
-
SHA256
c4152d490edfcc1620c4579bc9e9455b8cb71cb9efecb38140a22385ea95a9ce
-
SHA512
df3cdd886e0ac5c315e47b352030313d189d51d4d959977421e443cf6fffd02df108319b5b277c202567caa86327803e1aaf9830d89c3bbc8ee7015703f28ea4
-
SSDEEP
12288:Tbx119VXiwDIgVFyDu7iKXy2pGL3v5GzD1uIOUgQX14JE9xje50VwXH:BD95lGb5GzDL1pg06
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1