General
-
Target
c0516d9cad09ae1382c71f32c3e8dbe4733c6a6dde07956161d62dcb09db0b5b
-
Size
640KB
-
Sample
241114-p5kf3azbke
-
MD5
5d50f4c83c18772e9ca1b6612409168c
-
SHA1
6b6cba0ca0fdf312b2cd6a6b987684f98ac4fbe6
-
SHA256
c0516d9cad09ae1382c71f32c3e8dbe4733c6a6dde07956161d62dcb09db0b5b
-
SHA512
484d6c4ca0863e29338e240823b65fffdf99a10c4900bf8e975f0ab78d9e52df4cdc508a55a20380bdbc544f3412c244d9dfa5fcc92d19403ff003f51e650569
-
SSDEEP
12288:07JMjqvylx1MfZwZrNQSZA5d6pV4fZBF0G/0Egu1zNSEsXWh1W:0+jLl8Zq+MLpV4h3bc7gRh/h1W
Static task
static1
Behavioral task
behavioral1
Sample
yyKuc4Eg5i3P81j.exe
Resource
win7-20241023-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.apexrnun.com - Port:
587 - Username:
[email protected] - Password:
%qroUozO;(C2Rlyb - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.apexrnun.com - Port:
587 - Username:
[email protected] - Password:
%qroUozO;(C2Rlyb
Targets
-
-
Target
yyKuc4Eg5i3P81j.exe
-
Size
744KB
-
MD5
3e950f49d054b5e8cd4cf569f63681a5
-
SHA1
4e850f0acd0c1601d3229c8f1c9f5b6f4c0d09ee
-
SHA256
18f71d49384f2295251ad2e02bad618254c26f9b719ceaf641f077a00ac7d1a6
-
SHA512
30e202088fec6e6b2a907e32530f3735b87d772b377248718d643e8fdc677922ec6351c819f3644522f78e9409bedfb20cfe11436105de38377a8128ad05bf59
-
SSDEEP
12288:fk5lCJVM6Z3fyRNtx1X0GLj7MPFCV43pAlJB4bfZ26STgZYChuLUr2m/4i:c5lCJVyNtMGvyF93p0mbh26BhhiUFg
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1