General
-
Target
November shippment Docs.pdf.rar
-
Size
630KB
-
Sample
241111-ksqp4awhln
-
MD5
9f1cbf21a04cd7abf54b4a6ebe528da1
-
SHA1
a12c25e564eb7544b8d18eefa619cde8df188e85
-
SHA256
81e7f043e097b36a44fc8c534af6aab20f121fc387bd229bc7ae04057badaee3
-
SHA512
e2a7940c92ba6ab40da6bda4e559f464043efe1faa97be8e942f686ee28f5ae21a9bbbada422e356707ec70522cccbfcb9ba605b3d356c64d4b6fc8a820da2f1
-
SSDEEP
12288:K/RojTIImVkBh18RWU/FePynHWVmj8DzSECn/a7S6:Z+VkBkRb0PyHWVKaQa7S6
Static task
static1
Behavioral task
behavioral1
Sample
Q2EoNFhO7QQHxgS.exe
Resource
win7-20241010-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.pgsu.co.id - Port:
587 - Username:
[email protected] - Password:
Vecls16@Vezs - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.pgsu.co.id - Port:
587 - Username:
[email protected] - Password:
Vecls16@Vezs
Targets
-
-
Target
Q2EoNFhO7QQHxgS.exe
-
Size
824KB
-
MD5
43e00d24337d8815e1fa91d9a0536741
-
SHA1
dd9db121a1ff7cf788b58f2371403ef9cc5473d8
-
SHA256
d0063dabacc1569353b846cd664cf979784b4855d03e6ed4fc0ef7f013a0bad9
-
SHA512
2514b10ebb3269362516970ad3dc9b99e8174e977d38867062b663516920c92a925bdb134a21ceb8c9a7662381e855e38f7e01fc535707ba57b7c5531d2a6a56
-
SSDEEP
24576:TgMvIxW+Bi3KvRHgca9/tJ6o4omxmOJJm:T/gV9mZtYo4B9Jm
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1