General
-
Target
9dae147fba1359897a58e48f998e32da5abb67031340abd39f99301f8ea373b3.rar
-
Size
699KB
-
Sample
241111-pp3byazcje
-
MD5
7afb60892f68e0bea7541607b7007376
-
SHA1
1b8d1f1e4c127827c478ebebe7d0de1097f2fa55
-
SHA256
9dae147fba1359897a58e48f998e32da5abb67031340abd39f99301f8ea373b3
-
SHA512
5be095ebb15f11eaa9b86e26cdbff7f19a313dee723f92630f6c7919891ebd4a6d51c9a2b536032bf1bc125d54dbd9bd1a83ad86e8a1024152a83fd393871324
-
SSDEEP
12288:5K6W4IYw8+hnjoF4sL5KHORy91ry7QqxMEn2xLVMIHnoeiR/BVGP0:5K63IY3+Zj1sL5xYQMEnk7IRR/Q0
Static task
static1
Behavioral task
behavioral1
Sample
QCP6Umel59hDYWj.exe
Resource
win7-20241023-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.pgsu.co.id - Port:
587 - Username:
[email protected] - Password:
Vecls16@Vezs - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.pgsu.co.id - Port:
587 - Username:
[email protected] - Password:
Vecls16@Vezs
Targets
-
-
Target
QCP6Umel59hDYWj.exe
-
Size
863KB
-
MD5
fa00c5e8af643873a2b1f21a2ad37e53
-
SHA1
65d79942fcc89adca579223ec8d84adbabdb8da2
-
SHA256
9cd7438958ebc2fd54b69944e111165a98002937ada73d4969cf1a5b914dcb43
-
SHA512
e96054c9d1b709c72b8e4fe69b2e2e8e36b91e2ca82159eccfd99c79bade92ee1a1125de96f4ea5a8b4b10b4604ba13fb5cdece694d4828fbaf6b6a7f4f7496e
-
SSDEEP
12288:uqFKqbdlEmbGq/KVtfLky6vXhcmAv++ii31whOGYgOdc9RsODSBfiuMn:uq0qbkmN/K7o/X2NZiifGYgPrmBfXM
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1