General
-
Target
16092024_0913_16092024_PO1037596.rar
-
Size
605KB
-
Sample
240916-k6qx1szbpb
-
MD5
35e76845d649e69a101a0d0fbea2a1ad
-
SHA1
61f397aed0fc24c37b741fa046da490c93f32aef
-
SHA256
d9d81b7f2062604548db93c379ffecbe38d5b5010d365b6b1ddeb4f856e43527
-
SHA512
68fd4df325f9b89c1f2d111173700a2186e62f7759dcfbfcc68bb3ab990bff98ce2eb2d454cebb838eb5e6aaa63af6187e65ca61e0e4b664e3d5f5c567c125c2
-
SSDEEP
12288:Be6NxTDiW6f5wif60ddDv0zZ6OoK8Adu72VZAExjwbm07fEw7dYq8aw:BtuW6feizD8zRd8d72VB1em07fdRYTaw
Static task
static1
Behavioral task
behavioral1
Sample
PO1037596.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
PO1037596.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bonnyriggdentalsurgery.com.au - Port:
587 - Username:
[email protected] - Password:
eL)rV@QBKA#m - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.bonnyriggdentalsurgery.com.au - Port:
587 - Username:
[email protected] - Password:
eL)rV@QBKA#m
Targets
-
-
Target
PO1037596.exe
-
Size
639KB
-
MD5
2d1c2e159be49acd9da60cd08bab1578
-
SHA1
9e5aa237b5b8a027c5a52d13db554437dbf603ce
-
SHA256
59fcfb7a5c799be9973a2b40bf72a62ec818aff1b2416c5ad7592db25306a176
-
SHA512
4b818ab516e8b07a13e8ed2db98bef7ca93ef21448df1e961a417eb8d872b1d5841440d56348ca90a36e9a60e12ce444bebf927f74358528e8b1915ea0f0494a
-
SSDEEP
12288:KTnd+S4B5jktylvtQbUdXe0et+7EeCCyVFkHCduv4Pr8+QUef12BVIM1Fk7uykR:3fjktI6JA77CCyPZdu+gf1bSFkg
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1