General
-
Target
c2ac2d066557e29bc823b3ce1372ab2bb51d023359ce558672760c456e7798cfN
-
Size
673KB
-
Sample
240922-f6dv8stfre
-
MD5
60fc35fbc0b5436ea3e9249f1bc911b0
-
SHA1
2cec73cf55c2d18b33daef3499e93390620bb993
-
SHA256
c2ac2d066557e29bc823b3ce1372ab2bb51d023359ce558672760c456e7798cf
-
SHA512
e451bc9a1052e09caad103c75308c5457521cb31102b2eb80a9e3041a11767b336cd6a14db6f133f657c06f3c74acfe70263ac2ae8619b11d49af21253f7f31c
-
SSDEEP
12288:TZVBn2lHhxmmzB7c6738o2w+VFggfeS8gEydAzqDIkZ6b:T8lH6aY67Mo2w+VYS8ghjE
Static task
static1
Behavioral task
behavioral1
Sample
c2ac2d066557e29bc823b3ce1372ab2bb51d023359ce558672760c456e7798cfN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c2ac2d066557e29bc823b3ce1372ab2bb51d023359ce558672760c456e7798cfN.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
Protocol: ftp- Host:
ftp.haliza.com.my - Port:
21 - Username:
[email protected] - Password:
JesusChrist007$
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.haliza.com.my - Port:
21 - Username:
[email protected] - Password:
JesusChrist007$
Targets
-
-
Target
c2ac2d066557e29bc823b3ce1372ab2bb51d023359ce558672760c456e7798cfN
-
Size
673KB
-
MD5
60fc35fbc0b5436ea3e9249f1bc911b0
-
SHA1
2cec73cf55c2d18b33daef3499e93390620bb993
-
SHA256
c2ac2d066557e29bc823b3ce1372ab2bb51d023359ce558672760c456e7798cf
-
SHA512
e451bc9a1052e09caad103c75308c5457521cb31102b2eb80a9e3041a11767b336cd6a14db6f133f657c06f3c74acfe70263ac2ae8619b11d49af21253f7f31c
-
SSDEEP
12288:TZVBn2lHhxmmzB7c6738o2w+VFggfeS8gEydAzqDIkZ6b:T8lH6aY67Mo2w+VYS8ghjE
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1