General
-
Target
d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe
-
Size
640KB
-
Sample
240914-ccjyls1gqg
-
MD5
61217d7c7664881d1d97df8a3c539cc4
-
SHA1
c6f020de1f91d2e82883ad60056429f9ef20684a
-
SHA256
d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db
-
SHA512
aec3b2061111850e384e847720cf572291d7e9eed8a012345ba34ac855396e1422ce9b8362efe85d857daf08cb63d9df0397daa7d127e08b62ab85fa7cb4a028
-
SSDEEP
12288:S0gFxlwGD/ERhZ3YtrWPciSFxUTjKjdAwDxnmYXuFGDDhXH:i7zMhhur1iSOjsdAMxmIAO
Static task
static1
Behavioral task
behavioral1
Sample
d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://cash4cars.nz - Port:
21 - Username:
[email protected] - Password:
-[([pqM~nGA4
Targets
-
-
Target
d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db.exe
-
Size
640KB
-
MD5
61217d7c7664881d1d97df8a3c539cc4
-
SHA1
c6f020de1f91d2e82883ad60056429f9ef20684a
-
SHA256
d50faa86234469eb85697aee14b7b16b55caca5c0d1229fc0c5904410ddbf1db
-
SHA512
aec3b2061111850e384e847720cf572291d7e9eed8a012345ba34ac855396e1422ce9b8362efe85d857daf08cb63d9df0397daa7d127e08b62ab85fa7cb4a028
-
SSDEEP
12288:S0gFxlwGD/ERhZ3YtrWPciSFxUTjKjdAwDxnmYXuFGDDhXH:i7zMhhur1iSOjsdAMxmIAO
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1