General

  • Target

    tmp67qtf_k_

  • Size

    1.0MB

  • Sample

    240918-n6askszalc

  • MD5

    bbec860047a8e57d464f8ca00ba3dd9e

  • SHA1

    25078f4b524446d73844952780b1c80750bc8fc7

  • SHA256

    617aad709ac7d66890968766cc4b21481d268624d5505963058e7fa10748a57c

  • SHA512

    a4a0ec4346bb59e39b571f3f058c5211222de0a93cbc570e05cefb5f951a2e44983001c6fd7cfe7ca2bb753fd88db2ae9d64aede2f541af669589db3346827ab

  • SSDEEP

    24576:8ctTx3fcFSvgIl5urL05mUyl7EbL9j1ui1q:FxvcmurAIEX11u

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      tmp67qtf_k_

    • Size

      1.0MB

    • MD5

      bbec860047a8e57d464f8ca00ba3dd9e

    • SHA1

      25078f4b524446d73844952780b1c80750bc8fc7

    • SHA256

      617aad709ac7d66890968766cc4b21481d268624d5505963058e7fa10748a57c

    • SHA512

      a4a0ec4346bb59e39b571f3f058c5211222de0a93cbc570e05cefb5f951a2e44983001c6fd7cfe7ca2bb753fd88db2ae9d64aede2f541af669589db3346827ab

    • SSDEEP

      24576:8ctTx3fcFSvgIl5urL05mUyl7EbL9j1ui1q:FxvcmurAIEX11u

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks