General

  • Target

    DHL- CBJ520818836689.pdf.exe

  • Size

    650KB

  • Sample

    240922-f4aqsstejn

  • MD5

    114920a4c198638f361a9acf7830f301

  • SHA1

    4c3bd0dd2e0696f8f0cc3b069878380ee53e8af0

  • SHA256

    172799005230f9863cf5a2248248fc9ddcf1849a45d40c2f79ea1924bb14075c

  • SHA512

    7bdd4888a7eeaaf47da2ae637a6f136308e3bd7f8c8e1f4020e3631c28b56c1bc207915fd5de55833c1c551827294f4f1b16bb8ff107a3fbe67561768a768740

  • SSDEEP

    12288:1zsE+QCaydbw3L3hrwmB4EQeoOMbx17O5gd9qgEDDhEzPJo5FJlGWdWIh19CVyvy:8QCa2bwj1wDxpdogUWo+IHLvwGS

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      DHL- CBJ520818836689.pdf.exe

    • Size

      650KB

    • MD5

      114920a4c198638f361a9acf7830f301

    • SHA1

      4c3bd0dd2e0696f8f0cc3b069878380ee53e8af0

    • SHA256

      172799005230f9863cf5a2248248fc9ddcf1849a45d40c2f79ea1924bb14075c

    • SHA512

      7bdd4888a7eeaaf47da2ae637a6f136308e3bd7f8c8e1f4020e3631c28b56c1bc207915fd5de55833c1c551827294f4f1b16bb8ff107a3fbe67561768a768740

    • SSDEEP

      12288:1zsE+QCaydbw3L3hrwmB4EQeoOMbx17O5gd9qgEDDhEzPJo5FJlGWdWIh19CVyvy:8QCa2bwj1wDxpdogUWo+IHLvwGS

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks