General

  • Target

    DHL.exe

  • Size

    1.2MB

  • Sample

    241021-skl1yaxhqc

  • MD5

    38746734e4e287d65ed65578c1061643

  • SHA1

    054c53403bee29c2b1738ab1de2eff76f23c05c4

  • SHA256

    339f0ed83e05e28b1b8012a283a081fe5a925a64007ea197335d0dd9036ae438

  • SHA512

    249b3b757de765d753947b78e81cab918b0002a5e16a5215b4867219015c4e848e4f9ec0823da839aaf8689aa5b6b2e51a94bfdcc35d49a0d4d1c70f11702c74

  • SSDEEP

    24576:mPdPt1qjIRYqSSI+sQW5XHgQTR94urcGapylv7z6P89AMW:KV1QqCLQW5XHdnd7y89AMW

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    oadc jzrw bmvr klnl

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      DHL.exe

    • Size

      1.2MB

    • MD5

      38746734e4e287d65ed65578c1061643

    • SHA1

      054c53403bee29c2b1738ab1de2eff76f23c05c4

    • SHA256

      339f0ed83e05e28b1b8012a283a081fe5a925a64007ea197335d0dd9036ae438

    • SHA512

      249b3b757de765d753947b78e81cab918b0002a5e16a5215b4867219015c4e848e4f9ec0823da839aaf8689aa5b6b2e51a94bfdcc35d49a0d4d1c70f11702c74

    • SSDEEP

      24576:mPdPt1qjIRYqSSI+sQW5XHgQTR94urcGapylv7z6P89AMW:KV1QqCLQW5XHdnd7y89AMW

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Blocklisted process makes network request

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks