General

  • Target

    7804d202444c674f18d777634af6d2778ddcadd331b1cc5d8ab590a8561d66d4

  • Size

    692KB

  • Sample

    241121-bfb7haxalg

  • MD5

    7515f214e575b15d4bd7fe53313f740a

  • SHA1

    72e3407fac6be13dc2466fef02fca2ebc6d60dd6

  • SHA256

    7804d202444c674f18d777634af6d2778ddcadd331b1cc5d8ab590a8561d66d4

  • SHA512

    35bc4e6fd749136b83b8bad5eae2da51fd70a10c46f9d4a16d5fd3ffae0dae11d0f224ae6324f5024dbfd7777ba8634f1a3af4359d67b00933af9f0847107614

  • SSDEEP

    12288:q5AgFd918tPwTfYq1ZtoMxf5Cs814Aq/EamrnJuiu01x/pC9:8Ag6wEMZtoMSs8DeEamlxxC

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      DATASHEET.exe

    • Size

      631KB

    • MD5

      8b627084e10ad9b77436a4c3d8ea5ebb

    • SHA1

      7db5ee2ab5fdc91fa29a521f7f9779684f9e4abd

    • SHA256

      10f6d70d363d93fce85e92f2ea94a36eda4c755606581cd101652afaa97a91fc

    • SHA512

      45ccb2de3d572d2244f4676322834ddf8bf003ff7e4955bf5510ff082aa42cd1b519c6b9ee43dbad5eef6af96c6b5c6e8121e5ce0779aa4f1834bd1bbb57035f

    • SSDEEP

      12288:f5AgFd918tPwTfYq1ZtoMxf5Cs814Aq/EamrnJuiu01x/pC9:hAg6wEMZtoMSs8DeEamlxxC

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks