General

  • Target

    DHL INVOICE pfd.bat.exe

  • Size

    626KB

  • Sample

    240922-f4aqssteqb

  • MD5

    f344a454d4cb1d1e01da2e2c080dac29

  • SHA1

    3936c488c511a6ca05b992fda487ce5e971e57a0

  • SHA256

    fd4ca109bbafcc509f99cea673648c2baa6934e9eb9a903b0c24c2e7f84d56c4

  • SHA512

    2c71626ff41eac134c6f071c8ce124de87f46ec27ba4075bc452a80d4992688bbd7e056af74b8ab43d623dbea05de8311d76562216a7cc3f20467cfe22677f8d

  • SSDEEP

    12288:DHWZ0mNke8OvXWRA64zeEZgrJckmzDQVpOOn99zgL3qF0KsUvwiqk8:D2DV+EzepS/DQVpQMsUvwRH

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      DHL INVOICE pfd.bat.exe

    • Size

      626KB

    • MD5

      f344a454d4cb1d1e01da2e2c080dac29

    • SHA1

      3936c488c511a6ca05b992fda487ce5e971e57a0

    • SHA256

      fd4ca109bbafcc509f99cea673648c2baa6934e9eb9a903b0c24c2e7f84d56c4

    • SHA512

      2c71626ff41eac134c6f071c8ce124de87f46ec27ba4075bc452a80d4992688bbd7e056af74b8ab43d623dbea05de8311d76562216a7cc3f20467cfe22677f8d

    • SSDEEP

      12288:DHWZ0mNke8OvXWRA64zeEZgrJckmzDQVpOOn99zgL3qF0KsUvwiqk8:D2DV+EzepS/DQVpQMsUvwRH

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks