General
-
Target
Balance payment.exe
-
Size
1.4MB
-
Sample
240928-g52rcatdnc
-
MD5
86e5efa7d3dce6320ffcdfc12f628cba
-
SHA1
d3d26c7eddb95e028c13b97f94f330e5ad5dbba4
-
SHA256
07c65671acce67cfa5a214ce2285563f6b3eaeadd5afbcd21bcaa42a536f7ba6
-
SHA512
cb5d2fa04260b9ca8b8200dfa8881d82ae7cd701822c0cb3c8df5846a6f315c60475a39dc9048094d78fc8c2be21e4df734b805ac2f205c3c67b1a1b89cd8e23
-
SSDEEP
24576:ivrA5SXIIYCcp3WLcndXJp80oPQZ3aO30KISlm7mgXKrqEKdCSu59m6nnjqKoe:ivOkRYCcp3ZrpBooF1Tm6g6rFKdg9rjF
Static task
static1
Behavioral task
behavioral1
Sample
Balance payment.exe
Resource
win7-20240903-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
webmaster - Email To:
[email protected]
Targets
-
-
Target
Balance payment.exe
-
Size
1.4MB
-
MD5
86e5efa7d3dce6320ffcdfc12f628cba
-
SHA1
d3d26c7eddb95e028c13b97f94f330e5ad5dbba4
-
SHA256
07c65671acce67cfa5a214ce2285563f6b3eaeadd5afbcd21bcaa42a536f7ba6
-
SHA512
cb5d2fa04260b9ca8b8200dfa8881d82ae7cd701822c0cb3c8df5846a6f315c60475a39dc9048094d78fc8c2be21e4df734b805ac2f205c3c67b1a1b89cd8e23
-
SSDEEP
24576:ivrA5SXIIYCcp3WLcndXJp80oPQZ3aO30KISlm7mgXKrqEKdCSu59m6nnjqKoe:ivOkRYCcp3ZrpBooF1Tm6g6rFKdg9rjF
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1