General

  • Target

    PI #OVES1912196.scr.exe

  • Size

    826KB

  • Sample

    240923-l43dpsthpp

  • MD5

    1b136a73f10f2b2b837c46161eceaba9

  • SHA1

    0bb6bfbd1a79432f03e1b51f697f664a628a5e90

  • SHA256

    7df1b33f35a3ca87f9242153c847cc0d8e1d45c7e3b5c5ecf9f23bddbf94b052

  • SHA512

    30a82ab4146edf04179f53dc0527baf9b7bb8c82288009cb6704c47ba1c735ca96a57206a739d209b7ed3615ae52847d2f4a0ec8b1e889d06b323051ee344e30

  • SSDEEP

    24576:wiHxlaIGgVnElx5T6GMgitt8p10uF2VtQ/2:wiHxlaHl/6GtitGf0uF2VtQ/2

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      PI #OVES1912196.scr.exe

    • Size

      826KB

    • MD5

      1b136a73f10f2b2b837c46161eceaba9

    • SHA1

      0bb6bfbd1a79432f03e1b51f697f664a628a5e90

    • SHA256

      7df1b33f35a3ca87f9242153c847cc0d8e1d45c7e3b5c5ecf9f23bddbf94b052

    • SHA512

      30a82ab4146edf04179f53dc0527baf9b7bb8c82288009cb6704c47ba1c735ca96a57206a739d209b7ed3615ae52847d2f4a0ec8b1e889d06b323051ee344e30

    • SSDEEP

      24576:wiHxlaIGgVnElx5T6GMgitt8p10uF2VtQ/2:wiHxlaHl/6GtitGf0uF2VtQ/2

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks