General

  • Target

    SPW AW25 - PO.010.exe

  • Size

    836KB

  • Sample

    240919-pllj1syekn

  • MD5

    64d78850bcb1730279f0221558cfbf73

  • SHA1

    c7aa58c22c4941eebc0663cedf20d3ec5d0373e4

  • SHA256

    4568453d8e6838ec1f2e1dd9cfe87b257aa7bcbebb888c3b3c8c0514afb74b91

  • SHA512

    54f998f313f80194be851781e8ad76017a0ecb374fc4e5af3b345baa6af913e7b2bc62bd1a9d18f9c842a6247eaebfd41c1b3066e771b6b2fd60539570da2b8e

  • SSDEEP

    12288:eHnH0mNTkTaMg+i0hREhXV+/VSiyMIA22AxE/3v6OD7FP7r9r/+pppppppppppp9:eHxTkuMg+i00biEi/RcovBDZ1q

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      SPW AW25 - PO.010.exe

    • Size

      836KB

    • MD5

      64d78850bcb1730279f0221558cfbf73

    • SHA1

      c7aa58c22c4941eebc0663cedf20d3ec5d0373e4

    • SHA256

      4568453d8e6838ec1f2e1dd9cfe87b257aa7bcbebb888c3b3c8c0514afb74b91

    • SHA512

      54f998f313f80194be851781e8ad76017a0ecb374fc4e5af3b345baa6af913e7b2bc62bd1a9d18f9c842a6247eaebfd41c1b3066e771b6b2fd60539570da2b8e

    • SSDEEP

      12288:eHnH0mNTkTaMg+i0hREhXV+/VSiyMIA22AxE/3v6OD7FP7r9r/+pppppppppppp9:eHxTkuMg+i00biEi/RcovBDZ1q

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks