General
-
Target
Confirmación de pago.tgz
-
Size
1.4MB
-
Sample
240916-kysrmsygqb
-
MD5
f7455f462dcaa58e46ceb606d51a3b96
-
SHA1
c29da0495d6c998caba875acb0cae66c94900e9a
-
SHA256
aee487cfb44d63408f984764a1a3ffafbe6986db198a66d90c1ac97c389d95ff
-
SHA512
46fcfd6b3a2f001765c9d542c0bae106c8f4714a28d36309667ed543f32bcddb941d9aa020f18c2015687265475556cdd62b1943d9d625796f55bf4fca0654f5
-
SSDEEP
12288:+1W3nUQNUVFWaMCe+ej65u1P2t8QTW6Ptywb7+aH6hq5V:ReFWYRw1PAvPcwb7fee
Static task
static1
Behavioral task
behavioral1
Sample
Confirmación de pago.gz
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Confirmación de pago.gz
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
sample.tar
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
sample.tar
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Confirmación de pago.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Confirmación de pago.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7000875199:AAGcJDBHFcfVUBvhBO4xZLw34OXk1NWXSe0/
Targets
-
-
Target
Confirmación de pago.tgz
-
Size
1.4MB
-
MD5
f7455f462dcaa58e46ceb606d51a3b96
-
SHA1
c29da0495d6c998caba875acb0cae66c94900e9a
-
SHA256
aee487cfb44d63408f984764a1a3ffafbe6986db198a66d90c1ac97c389d95ff
-
SHA512
46fcfd6b3a2f001765c9d542c0bae106c8f4714a28d36309667ed543f32bcddb941d9aa020f18c2015687265475556cdd62b1943d9d625796f55bf4fca0654f5
-
SSDEEP
12288:+1W3nUQNUVFWaMCe+ej65u1P2t8QTW6Ptywb7+aH6hq5V:ReFWYRw1PAvPcwb7fee
Score3/10 -
-
-
Target
sample
-
Size
810.6MB
-
MD5
7fe98a6e5f0d17baeac7e42c3723d128
-
SHA1
27bb29e7b919df8f9f9e39a5048d262b7ea6c2c5
-
SHA256
3a1905a02d95a95fe9ffa32e967794f30cb67ffbf58f3157d2a900d0e939ec51
-
SHA512
957d6ce70f9a9167b38fa89fc73c004fd0a5b5475719338e071da5a74b2fa639a3c4ee006348b206747b96364952b987fbe2190fdf5911f2d5cbd03096a99320
-
SSDEEP
12288:Cti6NGb1oa6i42ez6fu1P+t8UTWibJEw5roaH6NqC:z1oY/21PITbOw5rZS
Score3/10 -
-
-
Target
Confirmación de pago.exe
-
Size
810.6MB
-
MD5
55f21afea211a393b016c037db0dee43
-
SHA1
e0772dccb1f17d89f122876b148488530b693af6
-
SHA256
99c708fb16999955b141f531644e954ba7e12453af9e11e968d3b9d0bcaed268
-
SHA512
a44e5a7086e60ca1c9bbbf1b44e010747c38a3153418b95dd1e6f00af9b57b1c9071d6124ef66613a056bc951f6395a919fdaec0a4735c443a2bf834ee4b9429
-
SSDEEP
12288:kti6NGb1oa6i42ez6fu1P+t8UTWibJEw5roaH6NqC:V1oY/21PITbOw5rZS
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1