General
-
Target
85902cbc14f1f002d333f41395e8dbc58b7224972719052ea316b78ab387039c
-
Size
726KB
-
Sample
241121-bt2pbaskcj
-
MD5
b448ab45fe85c873a8b1591a1e744217
-
SHA1
8957e388c4f77329a071ae455c2f35c08db0d178
-
SHA256
85902cbc14f1f002d333f41395e8dbc58b7224972719052ea316b78ab387039c
-
SHA512
1ebfd8cf29ab01dc867b56597f9bc077d9a40e5d25f3dae4b4436e5324016ca824ea200800bec82f0fc14237d424896c9ee023ff6904e979e80423db92e881e2
-
SSDEEP
12288:PL+RTjvY2ZT/7C/l8fd9FI7d+U4tpN4o5oEZToPYf/uH0OjrCtL/2j+ZOrrBdS:PL+tjw29cshKd+Ukz5PZvf/uUOjmNS+Z
Static task
static1
Behavioral task
behavioral1
Sample
RFQ_TFS-1509-AL NASR ENGINEERING.exe
Resource
win7-20241010-en
Malware Config
Extracted
Protocol: ftp- Host:
ftp.ercolina-usa.com - Port:
21 - Username:
[email protected] - Password:
,%EVY$JU0=lu
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.ercolina-usa.com - Port:
21 - Username:
[email protected] - Password:
,%EVY$JU0=lu
Targets
-
-
Target
RFQ_TFS-1509-AL NASR ENGINEERING.exe
-
Size
769KB
-
MD5
408a48c1608970d44f98725c56fc1fdf
-
SHA1
7253a22b1966427ec989c8fcc892fbf51086ced6
-
SHA256
6deca5f293b38099e0414eb589451aa6880e7c4e2812f90dd6d59fcb768409c6
-
SHA512
ac02fce542ff5c315773e48aa192b4b23647387529826ca48a372bc7ec70bd003ebb0e3cc30ea54f7af17423a417d8024922a47cd42cd5881496e86ca6538b86
-
SSDEEP
12288:4rOJ+Ri3AgFd1DQrQzPzs9C/vm/AncL47aXCaMv6eEJ4T7o6M88g/orX04RTBWjc:UQ3AgCtWyAe47aXCaSDmuoI84oI6WFE
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1