General
-
Target
2024-11-14_fa4846c0444989818272902a0e5d2044_formbook_hiddentear
-
Size
680KB
-
Sample
241114-rt2bjs1apb
-
MD5
fa4846c0444989818272902a0e5d2044
-
SHA1
89aae664e482a33ad57ff2d6afff08f9054bcea5
-
SHA256
0cdd69862bf252d0ddbcbdf11612604b8cc055c7b09d5b948d84589569c492eb
-
SHA512
6f4dad2ca2491dadc1315b13cc1b76c03a855ce50c073481ccfd52c1fd0af2c754826947e3f1e83cae44c8a777352cc97ddff67b98ac1b59e47b02d04e37f74c
-
SSDEEP
12288:qMyCUQXJlDNTPcNLzW6jFhxnd0fA+Qy7nV3A277LRODSZcIVJvnbr4EiGnU/P+Vv:qMyeX/DNTUNLzbVCPQy7ni27pOOZcSjY
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-14_fa4846c0444989818272902a0e5d2044_formbook_hiddentear.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-11-14_fa4846c0444989818272902a0e5d2044_formbook_hiddentear.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.kesoremrayon.com - Port:
21 - Username:
[email protected] - Password:
hHjRIMC^uNWw
Targets
-
-
Target
2024-11-14_fa4846c0444989818272902a0e5d2044_formbook_hiddentear
-
Size
680KB
-
MD5
fa4846c0444989818272902a0e5d2044
-
SHA1
89aae664e482a33ad57ff2d6afff08f9054bcea5
-
SHA256
0cdd69862bf252d0ddbcbdf11612604b8cc055c7b09d5b948d84589569c492eb
-
SHA512
6f4dad2ca2491dadc1315b13cc1b76c03a855ce50c073481ccfd52c1fd0af2c754826947e3f1e83cae44c8a777352cc97ddff67b98ac1b59e47b02d04e37f74c
-
SSDEEP
12288:qMyCUQXJlDNTPcNLzW6jFhxnd0fA+Qy7nV3A277LRODSZcIVJvnbr4EiGnU/P+Vv:qMyeX/DNTUNLzbVCPQy7ni27pOOZcSjY
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1