General
-
Target
cj.zip
-
Size
1.4MB
-
Sample
240921-3w583a1elf
-
MD5
32903f4f041d88950ba1768670b260fa
-
SHA1
da60e525522f5edff0bcfc214ec3499f0ca344f6
-
SHA256
403c6b151976080257ee2ba66535a58f1a9b824ec6ac90e24159910b61b20c13
-
SHA512
514b1bf7fcd887b3952e7efef20af525773e103b8f967d3a07ecb59a8c0be4d67f92666b1cda5fac6b9c076fcf6f8b8f5e72d57f055e999cf0d84fb5789ec840
-
SSDEEP
24576:tS17JAsQBpTxtJXnXlk/9jWSc+N61f0C63:tSSBDtJXXlpS9N618C63
Static task
static1
Behavioral task
behavioral1
Sample
cj.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7000875199:AAGcJDBHFcfVUBvhBO4xZLw34OXk1NWXSe0/
Targets
-
-
Target
cj.exe
-
Size
810.6MB
-
MD5
4577904002f77c1cc861041f379d0fae
-
SHA1
9ad75bebaaae5a2c63600e4e3fa39de3751fd0cb
-
SHA256
e138199d0ad358bec8b6dfd708afe4e2f071686116d04eb797d542788346e6e3
-
SHA512
38117f967643c05dbc31f1a3a165baf7f2b69cdb284b583e2f2408ca7e59e6f540864c579a8e794999d792cb761b2f2417234936b9016ec29a5ec6bf0ea98e91
-
SSDEEP
12288:4Pn0mNOJgrxmdQqe19Z/PamxTu3VWRe2OjNk7d7q88u3UQ/370Vr:45OJAkQBt/PLxaMyOdu8jkQ/er
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1