General

  • Target

    Trojan.Win32.Leonem-f6f16768f258eb2d7bd2acac45f266331d96d9964bbceabdd5bc72a85dadcf8dN

  • Size

    621KB

  • Sample

    240916-l5kv2s1grg

  • MD5

    e6efa87139608430d0428224bb6fe680

  • SHA1

    964f02a9916b8a4a8c2feb441abbb318a18220cb

  • SHA256

    f6f16768f258eb2d7bd2acac45f266331d96d9964bbceabdd5bc72a85dadcf8d

  • SHA512

    4e9c28dea775e693e0e2a9f2cd0644628b97c7d1288ca2386e24abce2549ca1fe32f44cae5e2111cb5279a26ef33612e61057187934600b921e102bcb18b9ae9

  • SSDEEP

    12288:iM7kvPni5MNJvFPOqBovzN0pCcqwibPjiCzK8edXHIPINdpZ/E3:iMoPi5gZZBqzN0XOPjiCzKrhoYpa3

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Trojan.Win32.Leonem-f6f16768f258eb2d7bd2acac45f266331d96d9964bbceabdd5bc72a85dadcf8dN

    • Size

      621KB

    • MD5

      e6efa87139608430d0428224bb6fe680

    • SHA1

      964f02a9916b8a4a8c2feb441abbb318a18220cb

    • SHA256

      f6f16768f258eb2d7bd2acac45f266331d96d9964bbceabdd5bc72a85dadcf8d

    • SHA512

      4e9c28dea775e693e0e2a9f2cd0644628b97c7d1288ca2386e24abce2549ca1fe32f44cae5e2111cb5279a26ef33612e61057187934600b921e102bcb18b9ae9

    • SSDEEP

      12288:iM7kvPni5MNJvFPOqBovzN0pCcqwibPjiCzK8edXHIPINdpZ/E3:iMoPi5gZZBqzN0XOPjiCzKrhoYpa3

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks