General
-
Target
54dedd8e31bd10edaba740b4a408ccf7f79f04af6da62c3c627bd34c88abbbad
-
Size
640KB
-
Sample
241031-k2kkfawark
-
MD5
f6f781c782d9acf9244f6709bddc878d
-
SHA1
e9eabc58c3d924de685bfd3970388d6808a365a7
-
SHA256
54dedd8e31bd10edaba740b4a408ccf7f79f04af6da62c3c627bd34c88abbbad
-
SHA512
8a32f3318562757d6b68787c9f39c93b3cf21f9f00341d31d63dfc452b900a37bdcb68704cf78dfc206047dc415e00b46ba1721a783d4bb7b4d3d414ce8108e9
-
SSDEEP
12288:M9AV71q7i01nz6Fo0VD6TaySPmpyWfjYEyfJuAHFrw1DfsG:M9071q7ionIo0sTSM5jYEywswlH
Static task
static1
Behavioral task
behavioral1
Sample
OpTransactionCyberReceipt31-10-2024.exe
Resource
win7-20240903-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.magnatextile.com - Port:
587 - Username:
[email protected] - Password:
ow%{&}mti{&}$is - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.magnatextile.com - Port:
587 - Username:
[email protected] - Password:
ow%{&}mti{&}$is
Targets
-
-
Target
OpTransactionCyberReceipt31-10-2024.exe
-
Size
760KB
-
MD5
f14bc331617b1e8b5cafeabb58940b14
-
SHA1
abaaefcd9d9a7199be027ce8e8328d2d60afa174
-
SHA256
09ae76100f8286e762987bf307fc01d8dc7a044c90f257dcae81e77122184a23
-
SHA512
9c1c847705a9f498c8056216f4f27675d95e629e82f7e5d26243290f048389156886deb44a74d5495b0bb8ef99c71bcd15ea6ccce3c2fbc28edc0e7d530d7f58
-
SSDEEP
12288:ywRrXQ9TZwevdMO7xeSvOwoqqfVcPg5gsrYYaEspyOfzwE5vUezvx7UwFfRcjcQ:Twvn18qqfVcPg5gs8YkPzwE5Mwd8jd
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1